Socket has flagged a malicious NuGet package, Sicoob.Sdk (versions 2.0.0-2.0.4), that masquerades as a C# SDK for Sicoob, one of Brazil's largest cooperative financial systems, and steals PFX certificates used to authenticate businesses with Sicoob's banking APIs. When a developer instantiates SicoobClient, the package reads the PFX file from disk, Base64-encodes it, and exfiltrates the client ID, PFX password, and encoded certificate to a hardcoded third-party Sentry endpoint. It also captures raw Boleto API responses. The package was downloaded ~500 times and the publisher has 11 other NuGet packages with ~6,000 combined downloads. Google Search AI Mode reportedly amplified the package as legitimate.
OX Security has flagged a malicious npm package, mouse5212-super-formatter (campaign codenamed Malware-Slop), designed to exfiltrate files from /mnt/user-data - the directory Anthropic's Claude uses to handle uploads and outputs. The package presents itself as an 'archive deployment sync' utility but, during the postinstall stage, authenticates to GitHub using a token found in the victim's environment (or a hard-coded fallback), creates an attacker-controlled repository, and recursively uploads every local file. It writes a fake 'network connections' log to disguise the theft. The package leaked its own GitHub token, suggesting AI-generated malware with poor OPSEC. It has ~676 downloads and remains live on npm.
Socket has detailed TrapDoor, a coordinated cross-ecosystem supply-chain campaign that has published 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io since May 22. Targets are crypto, DeFi, Solana, and AI developers. The npm packages deploy trap-core.js, which scans for credentials, validates AWS and GitHub tokens via API, and persists via cron, systemd, Git hooks, shell rcfiles, and SSH; Rust crates use build.rs to trigger; Python packages auto-execute on import to fetch JavaScript from ddjidd564.github[.]io. Notable twist: the campaign also plants .cursorrules and CLAUDE.md in PRs to popular AI repos to trick AI coding assistants into running 'security scans' that exfiltrate secrets.
GitHub has shipped npm CLI 11.15.0 introducing a 'staging' workflow that lets maintainers run 'npm stage publish' to push a candidate to a staging area before going live - with the constraint that the package must already exist on the registry and have 2FA enabled on the account. Three new install flags (--allow-file, --allow-remote, --allow-directory) extend the existing --allow-git to give developers an explicit allowlist for every non-registry install source. GitHub is also encouraging maintainers to pair staging with trusted publishing via OIDC. The changes respond to the TeamPCP supply-chain wave that compromised hundreds of packages over the past several weeks.
SafeDep has detailed Megalodon, a GitHub Actions attack that scans 5,561 repositories for usable CI/CD secrets and credentials by submitting malicious pull requests that contain crafted workflow files. The campaign appears unrelated to the recent TeamPCP supply-chain wave. Separately, a throwaway npm account 'polymarketdev' published nine packages within 30 seconds (polymarket-trading-cli, polymarket-terminal, polymarket-trade, polymarket-auto-trade, polymarket-copy-trading, polymarket-bot, polymarket-claude-code, polymarket-ai-agent, polymarket-trader) that, on postinstall, present a fake wallet onboarding prompt and exfiltrate Ethereum and Polygon private keys to a Cloudflare Worker at polymarketbot.polymarketdev.workers[.]dev. The malicious packages remain live on npm at time of publication.
Between 01:56 and 02:56 UTC on May 19, a Shai-Hulud-flavored attack published 639 malicious versions across 323 npm packages, mostly in the @antv chart and graph namespace, after compromising the maintainer account 'atool.' Affected libraries include @antv/g2, @antv/g6, echarts-for-react, timeago.js, and jest-canvas-mock (still 10M monthly downloads despite three years dormant). A linked attack hijacked 15 tags of the 'actions-cool' GitHub Action and replaced them with a credential stealer that reads runner memory and exfils to t.m-kosche[.]com - the same domain as the @antv campaign. Socket and Aikido say there are now 2,900+ GitHub repos generated by this wave.
Grafana Labs has confirmed that its previously disclosed GitHub breach started with the TanStack npm supply-chain attack run by TeamPCP, the same one that hit OpenAI and Mistral AI. Grafana detected the activity on May 11, rotated a significant number of GitHub workflow tokens, but one token slipped through and the attacker used it to pull Grafana's codebase. The downstream extortion attempt under the CoinbaseCartel banner came on May 16 and Grafana refused to pay, citing FBI guidance. The incident chains TeamPCP's TanStack OIDC-token theft into a directly observable secondary breach at a major observability vendor.
After TeamPCP dumped the Shai-Hulud worm's source code on GitHub last week with the note 'Here We Go Again - Let the Carnage Continue,' a new actor under the npm name deadcode09284814 has published four malicious packages typosquatting Axios and friends. One package, chalk-tempalte, contains an almost-unmodified copy of the leaked worm, exfiltrating GitHub tokens, cloud configs, and crypto wallet data to a remote C2 and creating a public GitHub repo titled 'A Mini Sha1-Hulud has Appeared.' Another package, axois-utils, adds a Go-based DDoS bot called Phantom Bot that floods HTTP, TCP, and UDP. OXsecurity, which discovered the campaign, counted about 2,678 combined downloads.
Socket and StepSecurity confirmed three malicious node-ipc releases (9.1.6, 9.2.3, 12.0.1, with 12.0.1 tagged as 'latest') uploaded to npm on May 14, 2026 by co-maintainer account 'atiertant.' Each version carries a byte-identical 80KB obfuscated payload appended as an IIFE to node-ipc.cjs, so it fires on every require('node-ipc') without using install scripts. The malware fingerprints the host, sweeps for 100+ credential and config targets, archives them, and exfiltrates via DNS rather than HTTP. Permiso's Ian Ahl traced the likely attack chain: the maintainer's recovery domain atlantis-software[.]net expired in Jan 2025, was re-registered by an attacker on May 7, 2026, then used to reset the npm password.
Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.