Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: npm (30 articles)Clear

North Korea spreads 108 poisoned packages across npm, Go, and browser extensions

Socket detailed PolinRider, an active North Korean supply-chain campaign that has planted 108 malicious packages and a browser extension across the npm, Go, and Packagist ecosystems, expanding the developer-targeting activity behind this week's Rollup npm packages. Operators take over legitimate GitHub maintainer accounts, often via expired-domain or account-recovery abuse, then bulk-modify repositories and publish infected versions. To stay hidden, they rewrite Git history so malicious commits look old, pad one-line loaders with whitespace to push them off screen, and disguise payloads as font files. Some trigger automatically through VS Code task settings when a developer simply opens the project folder in an editor like VS Code or Cursor.

Check
Check whether your projects pulled any flagged PolinRider packages, and review repositories for rewritten Git history, whitespace-hidden code in config files, and VS Code tasks that run on folder open.
Affected
Developers across npm, Go, and Packagist who install from compromised maintainer accounts, especially anyone opening untrusted repositories in VS Code or Cursor; the loaders deliver stealers and remote-access malware.
Fix
Pin and verify dependencies, review repository activity logs and release metadata rather than trusting the file view, disable task auto-run on folder open, and rotate credentials if you installed an affected version.

North Korea hides malware in fake Rollup npm packages to steal developer secrets

JFrog found a new set of malicious npm packages, linked to North Korea, that impersonate legitimate Rollup polyfill tooling closely enough to pass a quick dependency review, down to matching names and metadata. Installing them pulls in hidden second-stage packages disguised as SVG utilities, which fetch and run a JavaScript payload while checking that they are not in a sandbox or cloud build. The malware hunts for developer secrets, and notably targets the configuration and history of AI coding tools like Cursor alongside AWS, Azure, SSH, and npm credentials. Because build plugins run on developer machines and in CI, a single poisoned dependency can expose source code, tokens, and cloud keys.

Check
Check whether any projects or build pipelines pulled the flagged Rollup-lookalike npm packages, and review developer machines and CI for exposed npm tokens, cloud keys, SSH keys, and AI coding tool configurations.
Affected
Developers and CI pipelines that installed the lookalike Rollup polyfill packages; the malware steals npm tokens, cloud and SSH credentials, source code, and secrets from AI coding tool configurations on the machine.
Fix
Pin and verify dependencies and scrutinize lookalike package names before installing, keep secrets out of developer and CI environments where possible, rotate any exposed credentials, and monitor for suspicious install-time network activity.

Self-spreading Shai-Hulud worm hits more npm packages and reaches into Go

Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.

Check
Check whether your projects or pipelines pulled affected LeoPlatform, RStreams, or related npm packages or the compromised Verana Go module, and review developer and CI/CD systems for credential theft.
Affected
Developers and CI/CD pipelines that installed the compromised npm packages or Go module; the worm steals cloud, registry, and GitHub credentials, then uses them to spread to more packages and repositories.
Fix
Remove affected versions, rotate developer, cloud, and CI/CD credentials, pin and verify dependencies, restrict install-time and build-time execution, and monitor for unexpected GitHub Actions activity and new exfiltration repositories.

Malicious npm packages mimic PostCSS tools to plant Windows remote-access trojan

JFrog found malicious npm packages that impersonate PostCSS build tools to drop a multi-stage Windows remote-access trojan on developer machines. One package, postcss-minify-selector-parser, is named to look like the widely used postcss-selector-parser library, which sees over 127 million weekly downloads, and even lists the real package as a dependency to seem plausible during a quick review. Once installed, it writes and runs a PowerShell script that pulls down the trojan. A second cluster of five packages delivers a dropper during npm install, with one server-side component that only serves the payload to victims matching a specific signature. Affected developers should remove the packages and rotate credentials.

Check
Check developer machines and build systems for the named malicious npm packages and any unexpected PowerShell activity or dropped executables that started during a recent npm install.
Affected
Developers who installed the lookalike PostCSS packages or the related five-package cluster; the payload is a Windows remote-access trojan that runs at install time on developer and build machines.
Fix
Remove the malicious packages and their artifacts, rotate credentials from affected machines, pin and verify dependencies, block install-time scripts in CI, and watch for typosquatted names close to popular libraries.

144 Mastra AI-framework npm packages backdoored via hijacked account

Attackers hijacked the npm account of a former contributor to Mastra, a popular open-source framework for building AI applications, and in an 88-minute automated burst republished 144 packages under the @mastra scope with a hidden malicious dependency. The poisoned dependency, a fake clone of a date library, runs at install time: it disables TLS checks, downloads a second-stage cryptocurrency-stealing trojan, runs it as a detached process, and deletes itself. Because @mastra/core alone sees over 900,000 weekly downloads and the payload fires on install, anyone who installed an affected version since June 16 could be compromised before importing anything. npm has pulled the malicious versions.

Check
Check whether any developer machine, CI runner, or build system installed an @mastra package on or after June 16, and scan for the malicious easy-day-js dependency and install-time persistence artifacts.
Affected
Developers and pipelines that installed any @mastra package (including @mastra/core) on or after June 16, 2026; the malicious easy-day-js dependency ran code automatically at install time.
Fix
Roll affected packages back to pre-incident versions, treat affected hosts as compromised, rotate all credentials, tokens, and AI keys, move any crypto wallet funds from a clean device, and require signed-package installs.

North Korean hackers poison npm packages to hit developers and steal crypto

The North Korean campaign known as Contagious Interview is still expanding its assault on software developers, now leaning on poisoned developer tools and fake job offers. Researchers at Proofpoint and Expel describe obfuscated malicious npm packages, published from throwaway accounts, that install the OtterCookie infostealer through a post-install script, alongside recruitment and code-review phishing lures. The group is using generative AI to build its malware loaders and to set up fake companies and LinkedIn profiles for social engineering. Expel says the operation stole $12 million in cryptocurrency in the first three months of 2026, draining more than 26,000 wallets from over 2,700 infected developer machines.

Check
Audit developer machines and CI pipelines for recently installed npm packages with post-install scripts from unfamiliar publishers, and review whether staff engaged with unsolicited recruiters or take-home coding tests.
Affected
Software developers, especially in cryptocurrency, Web3, and blockchain, targeted through malicious npm packages and fake job interviews; their machines, wallets, and source code are the goal.
Fix
Vet dependencies before installing, block install-time scripts in CI, isolate untrusted coding tests in disposable sandboxes, and train developers to treat unsolicited recruiter outreach and test assignments as suspect.

Miasma worm hits 73 Microsoft GitHub repos, targets AI coding tools

The self-spreading Miasma worm, a variant of the Shai-Hulud malware linked to the group TeamPCP, has reached Microsoft's own code. Using a stolen access token, attackers pushed a malicious commit into the Azure durabletask repository, and GitHub disabled 73 repositories across four Microsoft organizations including Azure and MicrosoftDocs. The twist: the planted code runs automatically when a developer opens the project in an AI coding assistant like Claude Code, Cursor, Gemini CLI, or VS Code, then harvests cloud and developer credentials and uses them to infect more projects. It hides the trigger inside a build file (binding.gyp) that most security tools ignore.

Check
Search your GitHub orgs for commits, public repos, or build files matching Miasma naming patterns, and review AI coding agent configs (binding.gyp, agent rules) for unexpected auto-run payloads.
Affected
Organizations using npm, PyPI, or GitHub alongside AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code). Stolen maintainer tokens enable backdoored package and repo publishing.
Fix
Rotate GitHub, npm, and cloud credentials exposed to affected projects. Remove malicious commits and configs, enforce 2FA and short-lived tokens, and block install-time scripts in CI.

IronWorm Rust npm worm hits 36 packages, steals Anthropic/OpenAI/AWS credentials via eBPF rootkit and Tor; GitHub Actions used for exfil

JFrog has documented IronWorm, a new npm supply-chain worm that has infected 36 packages with an infostealer targeting 86 environment variables and 20 credential files - including OpenAI, AWS, Anthropic, and npm credentials, Vault configs, SSH keys, and Exodus wallet files. Written in Rust, it hides behind an eBPF kernel rootkit and communicates over Tor. It self-propagates using stolen npm Trusted Publishing secrets to trojanize the victim's own packages. JFrog found the same commit names as Shai-Hulud (commit author 'claude,' timestamps faked up to 13 years old) and suspects an evolution of TeamPCP's payload. Notably, it exfiltrates secrets by uploading them as innocuous-looking GitHub Actions build artifacts, avoiding external C2.

Check
Audit npm dependencies and CI for the 36 IronWorm-affected packages and preinstall scripts dropping Rust ELF binaries. Search build artifacts for disguised secret files. Rotate npm, AWS, OpenAI, Anthropic credentials.
Affected
Developers and CI systems that installed IronWorm-trojanized npm packages. It steals OpenAI/AWS/Anthropic/npm credentials, Vault configs, SSH keys, and wallets, then self-propagates via stolen Trusted Publishing secrets.
Fix
Remove affected packages, pin via lockfile, and rotate every credential reachable from affected hosts. Hunt for eBPF rootkit artifacts and Tor traffic. Review GitHub Actions build artifacts for exfiltrated secrets.

Red Hat @redhat-cloud-services npm namespace compromised with 'Miasma' Shai-Hulud variant - 30+ packages, 117K weekly downloads, steals dev and cloud secrets

More than 30 npm packages under Red Hat's @redhat-cloud-services namespace were backdoored in a supply-chain attack distributing a new Shai-Hulud variant dubbed 'Miasma.' Aikido and OX Security found dozens of package versions laced with malware that steals developer credentials, cloud secrets, SSH keys, and CI/CD tokens. Aikido says the compromised packages pull roughly 117,000 weekly downloads. Red Hat told BleepingComputer it removed the affected packages after becoming aware of the incident and that the compromise was limited to internal development tooling, with no impact on production products or services. The Miasma variant continues the self-propagating worm behavior that made the original Shai-Hulud campaign so disruptive.

Check
Inventory projects pulling @redhat-cloud-services npm packages. Check package-lock.json for backdoored versions since the compromise. Rotate developer, cloud, SSH, and CI/CD credentials reachable from build hosts.
Affected
30+ @redhat-cloud-services npm packages (~117K weekly downloads) backdoored with the Miasma Shai-Hulud variant. Red Hat says impact is limited to internal development tooling, not production products.
Fix
Remove affected package versions and pin to known-clean releases via lockfile. Rotate all secrets reachable from affected developer and CI hosts. Apply Aikido and OX Security IoCs.

codexui-android npm steals OpenAI Codex auth tokens for a month - non-expiring refresh_token exfiltrated to fake Sentry endpoint

Aikido Security has disclosed that codexui-android, an npm package advertised as a remote web UI for OpenAI Codex with over 29,000 weekly downloads, has been silently exfiltrating users' Codex authentication tokens for the past month. Unlike a typosquat, the malware was embedded into a functional, actively-developed package roughly a month after publication to build trust; the GitHub repo stayed clean. The code reads ~/.codex/auth.json and ships the access_token, refresh_token, id_token, and account ID to sentry.anyclaw[.]store, a server masquerading as Sentry. The non-expiring refresh_token lets an attacker silently impersonate the developer indefinitely with full Codex account access. The package remains available; the npm account is 'friuns.'

Check
Inventory developer machines for the codexui-android npm package. If present, treat ~/.codex/auth.json as compromised. Search egress for traffic to sentry.anyclaw[.]store.
Affected
Developers who installed codexui-android (29K weekly downloads, still live). Stolen non-expiring Codex refresh_tokens give attackers persistent, silent impersonation of the victim's OpenAI Codex account.
Fix
Remove codexui-android. Revoke and re-issue OpenAI Codex sessions; the refresh_token does not expire, so rotation is mandatory. Pin dependencies and audit AI-tooling packages before install.