Campaigns
Named operations tying malicious packages, indicators of compromise, and attack techniques together.
ACTIVELY ONGOING single-actor npm supply chain campaign, named for the wshu.net publisher infrastructure that ties its members together; @apexcraft/nano-key is the convicted ROOT/lineage member (secondary identifier). Amazon Inspector security research (Chi Tran, 2026-06-19) independently documented the SAME cluster as 'Operation Friday Harvest' (same 13 wshu.net scopes, same <scope>-<6char>@wshu.net burner pattern, same ~260-282KB obfuscator.io payload, same dual-trigger) - independent corroboration that raises confidence on the cluster to HIGH/confirmed. Confirmed members now total 15 packages across 13 throwaway scopes seeded on 2026-06-04; THREE of those scopes (@zynkit, @frostnode, @gleamkit) each hold a payload-free scope-reservation probe stub. Amazon Inspector's fuller version enumeration shows 64 malicious versions across the cluster (broader ranges than SafeDep statically pulled - e.g. @apexcraft/nano-key 1.2.4/1.2.5/1.3.2-1.3.8, @glitchpad/throttler 2.1.1/2.2.1-2.2.4, @nullzero/urlcat 1.4.0-1.4.3, @tinyfox/shapecheck 0.7.4/0.8.5-0.8.8, @zynkit/jwtbytes 0.4.3/0.5.1-0.5.4). Each payload package masquerades as a small developer utility (JWT/byte helper, retry wrapper, shape validator, throttler, logger, hex parser, env validator, datetime lib, RxJS poll operator) but ships a 259-282KB javascript-obfuscator payload blob executed via a postinstall hook. CORRECTED PAYLOAD BEHAVIOR (Amazon Inspector dynamic analysis SUPERSEDES the earlier static hypothesis): the obfuscated JS blob is a DOWNLOADER/LOADER, not a self-contained browser-credential stealer. It spawns a detached child process behind env-var guards, downloads a ~10.6MB Rust-compiled binary from GitHub Releases (github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/{linux,mac,win.js}), and executes it. The Rust binary is the actual infostealer: 30+ crypto wallets (MetaMask, Phantom, Trust Wallet, Solflare, Keplr, Ledger, Trezor, ...), browser credentials (Chrome/Brave/Firefox/Edge passwords/cookies/history/autofill/cards), cloud tokens (AWS/GCP/Azure/Kubernetes), SSH keys, Discord tokens + Telegram session data, developer creds (npm tokens/.env/.npmrc/GitHub PAT/PyPI tokens), and DB client connection strings (DBeaver/pgAdmin/MongoDB Compass). Persistence: a systemd USER service masquerading as a benign daemon (observed colord, haveged) at ~/.local/bin/<daemon> + ~/.config/systemd/user/<daemon>.service. Exfil C2: the Windows variant uses the Telegram Bot API (api.telegram.org, 149.154.166.110); Linux/macOS variants POST multipart/form-data over HTTP (minreq lib), gated behind anti-VM checks (Windows is NOT gated). The EARLIER static hypothesis - that the payload was itself the convicted @apexcraft/nano-key Chromium browser-credential stealer (Cookies/Login Data -> aes-256-gcm decrypt -> HTTPS exfil) - is now SUPERSEDED by this confirmed downloader->Rust-infostealer chain; browser-credential theft survives only as one capability of the Rust second stage, not the whole payload. SafeDep's independently-verified FIRST-STAGE observations stand: obfuscator.io RC4+base64 string decoder, the guarded runPrepare()/onInstall() wrapper auto-fired via require.main===module, dynamic require to keep module names out of the static graph, and byte-identical/near-identical compiled blobs. The STRONGER pivot is the GitHub delivery account angelmaybeth21-oss (created 2026-06-03; repo 'test' now removed but account live) and secondary smilingdusty233 (created 2026-05-31) - not the shared disposable wshu.net email. The DURABLE campaign fingerprint is the shared obfuscator.io template plus 5 build clusters (A-E) keyed by string-array function name and re-entrancy guard tag (A=_0xe119/__EE9863E13F_TAG: @apexcraft,@briskforge,@chunklab; B=_0x36b9/__7D0A53D40B_TAG: @glitchpad,@nullzero,@lazyutil; C=_0x175f/__38CC632841_TAG: @petitcode,@tinyfox,@thymelab,@zynkit; D=_0x5da4/__70FE9F7AB6_TAG: @bytemend; E=_0x15fd/__4C6BA78C7C_TAG: @frostnode) - members in the same cluster share the same obfuscator seed, which explains SafeDep's byte-identical-blob finding. CORRECTION: wshu.net is a PUBLIC DISPOSABLE-EMAIL provider (on disposable-email-domains, fakefilter, MISP warninglists, authgear's free-email list, and in unrelated apps' temp-mail signup logs), so the wshu.net domain ALONE is a NOISY pivot, NOT a unique attacker-owned indicator. Latest dist-tag of every payload package was republished with empty scripts to evade casual npm view metadata checks while the payload remains in mid-versions. @nullzero/urlcat (publisher [email protected]) is a same-actor member whose flagged version 1.4.2 was UNPUBLISHED before SafeDep static inspection. The earlier noon-contracts npm package (2026-05-10, publisher [email protected]) shares ONLY the disposable-email provider, not payload or code; that link is WEAKENED - treat it as a low/medium-confidence lead.
npm scope/account-takeover supply chain attack against the @mastra (Mastra AI agent framework) ecosystem. On 2026-06-17 (UTC) the attacker republished 143 first-party @mastra packages (including @mastra/core, mastra, create-mastra) in a ~84-minute burst (01:12-02:36). The publisher account `ehindero` was a stale former Mastra contributor whose scope access was never revoked (~16 months dormant) and whose email had been changed to a tutamail address. Library code was left byte-identical; each malicious release added exactly one dependency, easy-day-js (a dayjs clone), whose postinstall hook drops and runs a multi-platform cryptocurrency-stealing RAT. Malicious versions were published from a personal token with dist.attestations=null, breaking the OIDC/SLSA provenance baseline of legitimate releases. Tradecraft overlaps the Sapphire Sleet / BlueNoroff cluster (SafeDep assessment, unconfirmed).
Single operator published five coordinated npm packages in a 12-minute burst on 2026-06-16 (14:44:00-14:56:56 UTC) to deliver a Windows binary dropper split across packages. Two fabricated GitHub orgs (akuznetsov-oss, vpetrov-oss, now 404), throwaway maintainer emails under custom domain deltajohnsons.com (one random local-part per package), and two invented author personas (Anton Kuznetsov <[email protected]>, Viktor Petrov <[email protected]>). Weaponized: procwire (dropper) + routecraft (Express typosquat on-Windows trigger). Tooling: bytecraft (XOR helper), endpointmap (metadata-only C2 store), staticlayer (the operator's own payload server side, UA-gated). Assessed NET-NEW operator/cluster (high confidence); not a known actor. The only shared atom with prior KB campaigns is catbox.moe (broadly-abused shared infra, used here for inbound payload staging vs LofyGang outbound exfil) — coincidental, NOT attribution.
June 2026 supply chain attack against the Arch User Repository (AUR), named 'Atomic Arch' by Sonatype. Initial vendor reporting counted 400+ adopted packages (byteiota 408; an early community list consolidated ~588); the authoritative community-consolidated list (cscs, forked from the Kidev gist, referenced by the CachyOS/Arch/Garuda advisories) ultimately enumerates 1937 affected AUR package names ('almost 2000'). Attackers adopted orphaned AUR packages via AUR's standard adoption process and impersonated a trusted maintainer (account arojas, with krisztinavarga and wave-2 accounts custodiatovar/veramagalhaes), then poisoned each PKGBUILD so the build run by yay/paru pulls a malicious npm package ([email protected]) or, in a later variant, js-digest via bun (publisher herbsobering). The npm preinstall hook (./src/hooks/deps) executes a stripped Rust-async Linux ELF infostealer carrying an eBPF kernel rootkit (scales.bpf.c, hooks getdents64 to hide PIDs/files/sockets), Tor hidden-service C2 (olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion, /api/agent) with temp.sh fallback, broad developer-secret + browser harvesting, systemd persistence, and a secondary suspected-cryptominer payload. Assessed HIGH confidence as the same operator/toolkit as IronWorm (shared Rust-async ELF + eBPF rootkit + Tor /api/agent + temp.sh tradecraft and shared atomic-* npm naming), re-targeting the Arch ecosystem via the distro build pipeline. Sonatype-2026-003775, CVSS 8.7.
Rust-built infostealer npm supply chain worm, identified by JFrog Security Research on 2026-06-03 as an evolved variant of the Shai-Hulud worm family. Distributed via npm packages published from the compromised `asteroiddao` account (43 packages), it targets the Arweave/WeaveDB decentralized-database and broader Web3/crypto developer ecosystem. The malicious install hook drops a ~976 KB Rust ELF (`tools/setup`, UPX-packed with overwritten magic) that harvests ~86 environment variables and 20+ credential file paths (cloud, AI API keys, SCM/registry/CI tokens, Kubernetes/Vault secrets), captures Exodus desktop wallet seed phrases, ships an eBPF kernel rootkit for process/socket hiding and anti-debugging, beacons to a Tor hidden service (/api/agent) with temp.sh fallback exfil, and self-republishes via npm OIDC Trusted Publishing. Code paths targeting PyPI, Cargo, Conan and vcpkg credentials/registries were also present. Shares Shai-Hulud tradecraft (claude@ commit spoofing, dependency-tooling masquerade, supply-chain self-propagation) but escalates to a custom native implant.
Serial axios typosquat campaign by a single Epsilon Stealer MaaS operator. Wave 1: turbo-axios published 2026-05-23 (v1.17.2, v1.17.3), taken down by npm security hold 2026-05-28. Wave 2: operator created new npm account (speedsteraxios), published faster-axios 2026-06-01 (v1.17.3, v1.17.4) with rotated Cloudflare quick-tunnels but shared infrastructure (consequences-faces-weblogs-clinical.trycloudflare.com appears in both turbo-axios stage-2 C2 and faster-axios Epsilon Stealer DOWNLOAD_URL constant). Shared TTPs: identical version numbering (1.17.x), same postinstall hook (node ./lib/core/eval.js), same sendAnalytics() function name, same /download/datab1 URL path pattern, same attack shape (postinstall eval-downloader targeting axios users). Payload: Epsilon Stealer MaaS infostealer with browser credential theft, crypto wallet theft, Discord/Telegram/GitHub token theft, process injection, WebSocket RAT, and persistence.
Supply-chain campaign in the Shai-Hulud worm lineage, a variant of / derived from Mini Shai-Hulud (TeamPCP-attributed). Also tracked by other researchers as the "Hades Campaign" (confirmed external alias / cross-reference name; like the "Miasma" name itself, it is an external label, not a string recovered in plaintext from any decoded artifact). As of 2026-06-08 the authoritative consolidated package list spans two ecosystems: npm (106 packages / 411 versions across the June 1 Trusted-Publishing @redhat-cloud-services wave and the June 3 Phantom Gyp Arm A) and PyPI (26 packages / 45 versions, newly surfaced and expanded). The PyPI package identities and versions are authoritative (HIGH CONFIDENCE), but the PyPI delivery mechanism, payload, and entry vector have NOT been analyzed (OBSERVED, not characterized); attribution of the PyPI packages to the Miasma payload is by authoritative-list inclusion only. The campaign-identifier string "Miasma: The Spreading Blight" was not recovered in plaintext from the June 1 sample but is corroborated by the June 3 liuende501 exfil account repo descriptions.
Multi-wave npm dependency-confusion campaign run by a single operator rotating disposable npm accounts and email identities. Wave 1 (2026-05-27): accounts mr.4nd3r50n and pik-libs published 164 packages at 99.99.99 across five internal scopes. Wave 2 (2026-05-29): t-in-one ([email protected]), 12 packages, Sberbank SberPay impersonation. Wave 3 (2026-06-01): emcd-vue ([email protected]), @emcd-vue scope impersonating EMCD Russian crypto exchange, WaCk/JScrambler obfuscation + FUSION_ second-stage protocol + home-dir persistence. Wave 4 (2026-07-01): a fifth npm account, marketfront ([email protected], scope @marketfront created 2026-07-01T22:59:33Z), batch-published 25 e-commerce/marketing frontend cover packages, all at version 7.0.0, in a ~3-minute window (all now 404). Wave 4 is a payload EVOLUTION: it drops the full-process.env exfiltration to oob.moika.tech/report used in Waves 1-3 in favor of TARGETED credential-FILE harvesting (~20 secret files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, ~/.bash_history), exfiltrated as a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, plus a DNS resolver beacon. The C2 host is concealed behind an RC4+XOR layer around an embedded config blob and was NOT statically resolved (recorded as unresolved). Obfuscation shifted to obfuscator.io-style single-line ~160 KB with a custom lowercase-first base64 alphabet plus a per-string RC4 layer (static base64 decode of the string table only recovers primitives like charCodeAt/fromCharCode). SafeDep attributes Wave 4's TTP to the confirmed-malicious @emcd-vue (Wave 3) actor; the @emcd-vue predecessor scope remained live and was republished as of 2026-07-02 (@emcd-vue/[email protected], @emcd-vue/[email protected], @emcd-vue/[email protected]). Wave 4 also has a same-day sibling scope @tqm-mfe (single package @tqm-mfe/main at 5.4.7 and 5.5.0, published 2026-07-01) by npm user t.tqm.mfe under a NEW Proton Mail identity [email protected] (distinct from [email protected]), impersonating Tinkoff / T-Bank internal Angular ESLint tooling and carrying the same scope-parameterized Platform Engineering fingerprint, RC4/XOR obfuscation class (~182 KB), and non-functional decoy dist/index.js; its credential-file harvester behavior is inferred from the family match, not independently decoded, and its C2 host was not statically resolved.
Social engineering acquisition fraud targeting the maintainer of art-template (~33,600 weekly npm downloads). Malaysian company front (KILLER WHAL AI SDN BHD) tricked original author into transferring npm and GitHub ownership. Three phases over 16 months: Phase 1 (Mar 2025) testing with obfuscated injection, Phase 2 (May 2026) Coruna iOS exploit kit delivery via hijacked JiaThis domain, Phase 3 (Jun 2026) pivot to Chinese gambling/adult content traffic hijacking with Beijing timezone gating. Google TAG attributes Coruna usage to UNC6691 (Chinese, financially motivated).
Five npm packages (iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, ms-graph-types) that abuse Claude Code hooks to backdoor AI coding sessions.
A Telegram account-takeover operation by npm publisher shetty123 ([email protected]). Pairs a malicious client (common-tg-service) with the operator's server-side runtime (ams-ssk) deployed at cms.paidgirl.site. Targets Indian Telegram accounts for downstream UPI payments fraud.
Three compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and password managers, then propagates to other hosts via SSM and kubectl exec.
npm packages using Polymarket and DeFi trading lures to steal cryptocurrency wallet private keys and drain victim funds.
npm packages from a single operator delivering Windows RATs and browser cookie/credential stealers. Every variant exfiltrates to [email protected], linking the packages to one actor.
Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 across all waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules. Wave 3 (forge-jsx4, June 2026) confirmed identical C2 config, identical AES key material, and full Phase 5 feature set; version gap v1.0.92-v1.0.121 implies an unidentified intermediate package.
DPRK-linked (Famous Chollima) supply chain campaign targeting developers via npm, PyPI, and fake job interviews. MicrosoftSystem64 / js-logger-pack is attributed to this campaign cluster via the toskypi identity ([email protected]), jpeek account rotation (jpeek868/886/895), and shared Lordplay/system-releases HuggingFace infrastructure. Overlapping sub-campaigns: Contagious Trader (crypto trading lures), BigSquatRat (typosquats).
npm packages published by a single operator that plant SSH backdoors and full remote access trojans on developer machines. All variants exfiltrate stolen data to the [email protected] mailbox, tying the packages to one actor.
Cluster of big.js and biginteger typosquats (sjs-biginteger, bjs-biginteger, cjs-biginteger and lint-builder variants) that implant SSH backdoors and steal developer keys.
Compromise of the @fairwords npm scope (websocket, loopback-connector-es, encryption) delivering a credential-harvesting worm.
36 npm packages impersonating Strapi plugins that deploy Redis RCE, steal databases and maintain persistent command and control.
Umbrella supply chain campaign tracked by Wiz (Rami McCarthy) that compromises developer tooling, package registries, and CI/CD across npm, PyPI, Docker, VSCode, and Packagist. The initial wave abused Checkmarx-themed decoy domains (checkmarx.zone, audit.checkmarx.cx) and shared C2 (94.154.172.43) to trojanize litellm and, through a cascading KICS compromise, @bitwarden/cli. Attribution strings reuse Dune terminology, linking it to the Shai-Hulud worm family.
Self-replicating npm and PyPI supply chain worm that harvests developer, cloud, and registry credentials and propagates by publishing trojanized versions of every package the stolen tokens can reach. First seen September 2025 (@ctrl/tinycolor and peers, exposing private repositories and AWS credentials), it resurged as the larger 'Shai-Hulud 2.0' wave in November 2025 across @zapier, @asyncapi, posthog and @postman packages affecting 25,000+ repositories, and later reached PyPI through PyTorch Lightning. Named after the Dune sandworm; part of the broader TeamPCP activity.
September 2025 phishing compromise of npm maintainer 'qix' that hijacked 18 ultra-popular packages (chalk, debug, ansi-styles, strip-ansi and more, 1B+ weekly downloads) to inject a browser-based crypto wallet address swapper.
August 2025 compromise of the nx build system and @nx/js that stole credentials, SSH keys and wallet data from Linux and macOS developers and published the loot to attacker-created GitHub repositories.
PyPI typosquats of the Bittensor SDK (bitensor, bittenso, bittenso-cli, qbittensor) that backdoor crypto and AI developers, steal wallet credentials and use DNS tunneling as a fallback exfiltration channel.
July 2025 maintainer-phishing compromise that pushed malware through eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core and napi-postinstall, packages with tens of millions of weekly downloads.
Dependency-confusion packages that mimic the private/internal package names of specific enterprises (Hyatt, Schedaero, Coca-Cola, Genoma and others) and beacon host and environment data to attacker-controlled collectors such as Burp Collaborator, requestcatcher and disposable inboxes.
Catch-all for isolated malicious packages that are not attributable to a tracked campaign.