Campaigns

Five npm packages (iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, ms-graph-types) that abuse Claude Code hooks to backdoor AI coding sessions.

A Telegram account-takeover operation by npm publisher shetty123 ([email protected]). Pairs a malicious client (common-tg-service) with the operator's server-side runtime (ams-ssk) deployed at cms.paidgirl.site. Targets Indian Telegram accounts for downstream UPI payments fraud.

Three compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and password managers, then propagates to other hosts via SSM and kubectl exec.

npm packages using Polymarket and DeFi trading lures to steal cryptocurrency wallet private keys and drain victim funds.

npm packages from a single operator delivering Windows RATs and browser cookie/credential stealers. Every variant exfiltrates to [email protected], linking the packages to one actor.

Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 across waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules.

npm packages published by a single operator that plant SSH backdoors and full remote access trojans on developer machines. All variants exfiltrate stolen data to the [email protected] mailbox, tying the packages to one actor.

Cluster of big.js and biginteger typosquats (sjs-biginteger, bjs-biginteger, cjs-biginteger and lint-builder variants) that implant SSH backdoors and steal developer keys.

Compromise of the @fairwords npm scope (websocket, loopback-connector-es, encryption) delivering a credential-harvesting worm.

36 npm packages impersonating Strapi plugins that deploy Redis RCE, steal databases and maintain persistent command and control.

Umbrella supply chain campaign tracked by Wiz (Rami McCarthy) that compromises developer tooling, package registries, and CI/CD across npm, PyPI, Docker, VSCode, and Packagist. The initial wave abused Checkmarx-themed decoy domains (checkmarx.zone, audit.checkmarx.cx) and shared C2 (94.154.172.43) to trojanize litellm and, through a cascading KICS compromise, @bitwarden/cli. Attribution strings reuse Dune terminology, linking it to the Shai-Hulud worm family.

Self-replicating npm and PyPI supply chain worm that harvests developer, cloud, and registry credentials and propagates by publishing trojanized versions of every package the stolen tokens can reach. First seen September 2025 (@ctrl/tinycolor and peers, exposing private repositories and AWS credentials), it resurged as the larger 'Shai-Hulud 2.0' wave in November 2025 across @zapier, @asyncapi, posthog and @postman packages affecting 25,000+ repositories, and later reached PyPI through PyTorch Lightning. Named after the Dune sandworm; part of the broader TeamPCP activity.

September 2025 phishing compromise of npm maintainer 'qix' that hijacked 18 ultra-popular packages (chalk, debug, ansi-styles, strip-ansi and more, 1B+ weekly downloads) to inject a browser-based crypto wallet address swapper.

August 2025 compromise of the nx build system and @nx/js that stole credentials, SSH keys and wallet data from Linux and macOS developers and published the loot to attacker-created GitHub repositories.

PyPI typosquats of the Bittensor SDK (bitensor, bittenso, bittenso-cli, qbittensor) that backdoor crypto and AI developers, steal wallet credentials and use DNS tunneling as a fallback exfiltration channel.

July 2025 maintainer-phishing compromise that pushed malware through eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core and napi-postinstall, packages with tens of millions of weekly downloads.

Dependency-confusion packages that mimic the private/internal package names of specific enterprises (Hyatt, Schedaero, Coca-Cola, Genoma and others) and beacon host and environment data to attacker-controlled collectors such as Burp Collaborator, requestcatcher and disposable inboxes.

Catch-all for isolated malicious packages that are not attributable to a tracked campaign.