npm

npm-global-util

npm-global-util is identified in the SafeDep analysis "npm-global-util: Credential Theft and Supply Chain Attack". npm-global-util is a malicious npm package by maintainer raya4321 that exfiltrates credentials and system recon data via a preinstall hook. Part of a 16-package campaign targeting Apple developer CI/CD environments, with a second-stage that attempts to poison apple-app-store-server-library.

discovered 2026-04-29

Threat types

credential_stealerdata_exfiltrationratpersistence

Malicious versions

1.0.0

Campaigns

No Specific Campaignattributed-to

Indicators

domainwebhook.sitecommunicates-with
domainfranki.requestcatcher.comcommunicates-with
ipv4169.254.169.254communicates-with
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →