Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: npm (30 articles)Clear

Malicious 'Sicoob.Sdk' NuGet steals Brazilian banking PFX certificates via hardcoded Sentry endpoint - amplified by Google Search AI Mode

Socket has flagged a malicious NuGet package, Sicoob.Sdk (versions 2.0.0-2.0.4), that masquerades as a C# SDK for Sicoob, one of Brazil's largest cooperative financial systems, and steals PFX certificates used to authenticate businesses with Sicoob's banking APIs. When a developer instantiates SicoobClient, the package reads the PFX file from disk, Base64-encodes it, and exfiltrates the client ID, PFX password, and encoded certificate to a hardcoded third-party Sentry endpoint. It also captures raw Boleto API responses. The package was downloaded ~500 times and the publisher has 11 other NuGet packages with ~6,000 combined downloads. Google Search AI Mode reportedly amplified the package as legitimate.

Check
Inventory C# projects for Sicoob.Sdk versions 2.0.0-2.0.4 and the publisher's 11 other packages. Search outbound traffic to the attacker Sentry endpoint identified in Socket's IoCs.
Affected
C# developers integrating with Sicoob banking APIs in Brazil. Any project that pulled Sicoob.Sdk via NuGet had PFX certificates, client IDs, and Boleto data harvested.
Fix
Remove all 12 affected NuGet packages and rotate every Sicoob PFX certificate and client credential reachable from affected hosts. Verify NuGet package signatures match expected GitHub source going forward.

Malicious npm package 'mouse5212-super-formatter' steals files from Claude AI /mnt/user-data directory, exfiltrates to attacker GitHub via postinstall

OX Security has flagged a malicious npm package, mouse5212-super-formatter (campaign codenamed Malware-Slop), designed to exfiltrate files from /mnt/user-data - the directory Anthropic's Claude uses to handle uploads and outputs. The package presents itself as an 'archive deployment sync' utility but, during the postinstall stage, authenticates to GitHub using a token found in the victim's environment (or a hard-coded fallback), creates an attacker-controlled repository, and recursively uploads every local file. It writes a fake 'network connections' log to disguise the theft. The package leaked its own GitHub token, suggesting AI-generated malware with poor OPSEC. It has ~676 downloads and remains live on npm.

Check
Search npm install logs and CI/CD for mouse5212-super-formatter. On any host that ran it, audit /mnt/user-data access and outbound GitHub API calls. Rotate exposed GitHub tokens.
Affected
Developers and AI-tooling users who installed mouse5212-super-formatter (676 downloads, still live). Systems with Claude's /mnt/user-data directory and a GitHub token in the environment are the target.
Fix
Remove the package and pin dependencies via lockfile. Rotate every GitHub token reachable from affected hosts. Treat uploaded/output files in /mnt/user-data as potentially exfiltrated.

TrapDoor cross-ecosystem supply chain hits npm, PyPI, Crates.io with 34+ malicious packages; plants .cursorrules and CLAUDE.md to trick AI assistants

Socket has detailed TrapDoor, a coordinated cross-ecosystem supply-chain campaign that has published 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io since May 22. Targets are crypto, DeFi, Solana, and AI developers. The npm packages deploy trap-core.js, which scans for credentials, validates AWS and GitHub tokens via API, and persists via cron, systemd, Git hooks, shell rcfiles, and SSH; Rust crates use build.rs to trigger; Python packages auto-execute on import to fetch JavaScript from ddjidd564.github[.]io. Notable twist: the campaign also plants .cursorrules and CLAUDE.md in PRs to popular AI repos to trick AI coding assistants into running 'security scans' that exfiltrate secrets.

Check
Search npm, pip, and cargo install logs across CI/CD and developer machines for any of the 34+ TrapDoor packages. Check repos for unsolicited .cursorrules or CLAUDE.md additions in PRs.
Affected
Crypto, DeFi, Solana, and AI developers who install packages by name without lockfile pinning. Users of AI coding assistants (Cursor, Claude) that read .cursorrules or CLAUDE.md.
Fix
Pin via lockfiles. Block ddjidd564.github[.]io at egress. Audit .cursorrules and CLAUDE.md across repos. Configure AI coding assistants to require explicit confirmation before running arbitrary commands from project files.

GitHub ships npm 11.15.0 with 2FA-gated staging, OIDC trusted publishing, and per-source install flags in response to TeamPCP wave

GitHub has shipped npm CLI 11.15.0 introducing a 'staging' workflow that lets maintainers run 'npm stage publish' to push a candidate to a staging area before going live - with the constraint that the package must already exist on the registry and have 2FA enabled on the account. Three new install flags (--allow-file, --allow-remote, --allow-directory) extend the existing --allow-git to give developers an explicit allowlist for every non-registry install source. GitHub is also encouraging maintainers to pair staging with trusted publishing via OIDC. The changes respond to the TeamPCP supply-chain wave that compromised hundreds of packages over the past several weeks.

Check
Inventory developer machines using npm CLI. Upgrade to 11.15.0+ to access the staging workflow. Identify high-impact packages your team publishes and require 2FA on those maintainer accounts.
Affected
Any npm publisher whose tokens or maintainer accounts could be hijacked. The TeamPCP wave hit 600+ packages in one hour on May 19 by abusing maintainer accounts.
Fix
Adopt 'npm stage publish' for production packages. Enable 2FA on all maintainer accounts. Configure trusted publishing via OIDC where supported. Apply --allow-file / --allow-remote / --allow-directory selectively in CI.

Megalodon GitHub Actions attack scans 5,561 repos for CI/CD secrets; polymarketdev publishes nine wallet-stealer npm packages

SafeDep has detailed Megalodon, a GitHub Actions attack that scans 5,561 repositories for usable CI/CD secrets and credentials by submitting malicious pull requests that contain crafted workflow files. The campaign appears unrelated to the recent TeamPCP supply-chain wave. Separately, a throwaway npm account 'polymarketdev' published nine packages within 30 seconds (polymarket-trading-cli, polymarket-terminal, polymarket-trade, polymarket-auto-trade, polymarket-copy-trading, polymarket-bot, polymarket-claude-code, polymarket-ai-agent, polymarket-trader) that, on postinstall, present a fake wallet onboarding prompt and exfiltrate Ethereum and Polygon private keys to a Cloudflare Worker at polymarketbot.polymarketdev.workers[.]dev. The malicious packages remain live on npm at time of publication.

Check
Search GitHub Actions audit logs for unfamiliar workflow files added via pull requests since May 21. Search npm install logs for any polymarket-* package.
Affected
5,561 GitHub repositories specifically targeted by Megalodon malicious pull requests. Any Ethereum or Polygon developer who installed polymarket-* npm packages exposed wallet keys.
Fix
Restrict workflows triggered by pull_request_target. Pin GitHub Actions to full commit SHAs not tags. Treat any system that ran polymarket-* packages as compromised; rotate wallet keys immediately.

Shai-Hulud wave: 600+ npm @antv packages compromised in one hour, GitHub Action 'actions-cool' tag hijack linked

Between 01:56 and 02:56 UTC on May 19, a Shai-Hulud-flavored attack published 639 malicious versions across 323 npm packages, mostly in the @antv chart and graph namespace, after compromising the maintainer account 'atool.' Affected libraries include @antv/g2, @antv/g6, echarts-for-react, timeago.js, and jest-canvas-mock (still 10M monthly downloads despite three years dormant). A linked attack hijacked 15 tags of the 'actions-cool' GitHub Action and replaced them with a credential stealer that reads runner memory and exfils to t.m-kosche[.]com - the same domain as the @antv campaign. Socket and Aikido say there are now 2,900+ GitHub repos generated by this wave.

Check
Audit package lockfiles and CI logs for installs of any @antv/* package or timeago.js, size-sensor, jest-canvas-mock, echarts-for-react published on May 19. Search workflows for 'actions-cool/maintain-one-comment@<tag>' references.
Affected
Developers and CI/CD pipelines that installed @antv packages or used the actions-cool GitHub Actions between May 19 01:56 UTC and the npm registry takedown.
Fix
Pin GitHub Actions to full commit SHAs, not tags. Block egress to t.m-kosche.com. Rotate every developer token, npm token, cloud credential, and SSH key on machines that ran affected builds.

Grafana confirms its GitHub breach started with the TanStack npm supply-chain attack (TeamPCP)

Grafana Labs has confirmed that its previously disclosed GitHub breach started with the TanStack npm supply-chain attack run by TeamPCP, the same one that hit OpenAI and Mistral AI. Grafana detected the activity on May 11, rotated a significant number of GitHub workflow tokens, but one token slipped through and the attacker used it to pull Grafana's codebase. The downstream extortion attempt under the CoinbaseCartel banner came on May 16 and Grafana refused to pay, citing FBI guidance. The incident chains TeamPCP's TanStack OIDC-token theft into a directly observable secondary breach at a major observability vendor.

Check
If you maintained or rebuilt Grafana forks since May 11, or used Grafana Labs GitHub Actions, audit CI logs and outbound traffic against TanStack-attack IoCs published by Wiz and Snyk.
Affected
Grafana Labs (codebase, already public). New attribution links the breach to the TanStack supply-chain attack. No direct customer or Grafana Cloud impact reported.
Fix
Adopt OIDC trusted publishing. Treat GitHub Actions workflow tokens as short-lived and rotate aggressively. Seed canary tokens in private repos - Grafana detected this breach via a canary trigger.

Leaked Shai-Hulud worm source code reused in four malicious npm packages, one adds Phantom Bot DDoS

After TeamPCP dumped the Shai-Hulud worm's source code on GitHub last week with the note 'Here We Go Again - Let the Carnage Continue,' a new actor under the npm name deadcode09284814 has published four malicious packages typosquatting Axios and friends. One package, chalk-tempalte, contains an almost-unmodified copy of the leaked worm, exfiltrating GitHub tokens, cloud configs, and crypto wallet data to a remote C2 and creating a public GitHub repo titled 'A Mini Sha1-Hulud has Appeared.' Another package, axois-utils, adds a Go-based DDoS bot called Phantom Bot that floods HTTP, TCP, and UDP. OXsecurity, which discovered the campaign, counted about 2,678 combined downloads.

Check
Search package lock files and CI/CD logs for installs of chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils. Check your GitHub accounts for any repo named 'A Mini Sha1-Hulud has Appeared.'
Affected
Any organization whose developers install Node.js packages by name from npm without lockfile pinning or pre-publish vetting, especially those typosquatting the popular axios library.
Fix
Uninstall the four packages and rotate all developer GitHub tokens, npm tokens, and cloud credentials on affected machines. Block the C2 hosts 87e0bbc636999b.lhr.life and 80.200.28.28:2222 at egress.

node-ipc npm package (822K weekly downloads) compromised via expired-domain takeover, three malicious versions published

Socket and StepSecurity confirmed three malicious node-ipc releases (9.1.6, 9.2.3, 12.0.1, with 12.0.1 tagged as 'latest') uploaded to npm on May 14, 2026 by co-maintainer account 'atiertant.' Each version carries a byte-identical 80KB obfuscated payload appended as an IIFE to node-ipc.cjs, so it fires on every require('node-ipc') without using install scripts. The malware fingerprints the host, sweeps for 100+ credential and config targets, archives them, and exfiltrates via DNS rather than HTTP. Permiso's Ian Ahl traced the likely attack chain: the maintainer's recovery domain atlantis-software[.]net expired in Jan 2025, was re-registered by an attacker on May 7, 2026, then used to reset the npm password.

Check
Scan package-lock.json and yarn.lock for node-ipc versions 9.1.6, 9.2.3, or 12.0.1 published on or after May 14, 2026; check developer machines and CI runners for outbound DNS to non-corporate resolvers since that date.
Affected
Any Node.js project or CI pipeline that ran `npm install node-ipc` on or after May 14, 2026 without a pinned safe version (9.1.5 or 12.0.0). Developer workstations and CI runners with broad credential scope face highest risk.
Fix
Pin node-ipc to 9.1.5 or 12.0.0, purge npm and yarn caches, then rotate cloud access keys, GitHub PATs, SSH keys, and any secrets that touched affected machines. Block egress to attacker DNS resolvers from build infrastructure.

TeamPCP Shai-Hulud aftermath: OpenAI rotates macOS code-signing certificates after employee devices breached, TeamPCP advertises 450 Mistral AI source repositories for $25K

Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.

Check
Audit which developer workstations had any TanStack, Mistral AI, UiPath, OpenSearch, or Guardrails AI npm or PyPI packages installed since May 8, and review GitHub audit logs for token use from those machines.
Affected
Mac users of OpenAI ChatGPT Desktop, OpenAI Codex CLI, and Atlas browser apps - signed with the rotated certificates and must update before June 12, 2026. Customers of Mistral AI relying on private repos for SDK pinning.
Fix
Update affected OpenAI macOS apps before June 12. Rotate GitHub PATs, npm and PyPI tokens, cloud secrets, and SSH keys exposed on impacted developer machines. Pin Mistral and TanStack packages to known-clean releases.