Your engineering team loves AI, and the bad guys do too

The 183 packages span nine scoped namespaces mirroring specific internal service names — including billing, VPN, Kubernetes, ML inference, IAM, loan flows, deposit forms, debit card applications, and crypto exchange modules, indicating the actor profiled each target organization's internal package ecosystem before publishing. The specificity of package names such as @cloudplatform-single-spa/certificate-manager, @cloudplatform-single-spa/vpn, @cloudplatform-single-spa/ml-inference, and @sber-ecom-core/sberpay-widget confirms targeted reconnaissance rather than opportunistic squatting. On install, the postinstall hook transmits the victim's full process.env to oob.moika.tech — capturing any API keys, CI secrets, cloud credentials, npm tokens, GitHub PATs, or other secrets present in the developer or CI environment at install time. A second-stage binary is simultaneously fetched from https://oob.moika.tech/payload/{mac|win|linux}.js and spawned as a detached child process using .unref(), surviving after npm install exits. Wave 4 (June 1) introduced home-directory persistence, writing the payload to ~/.emcd-vue_init.js rather than os.tmpdir(), which survives reboots and OS temp cleanup. The RECON_ONLY=1 flag, currently set server-side, indicates that the actor is collecting environment fingerprints and holding exploitation for a follow-on phase. Server-side toggling means full exploitation can be enabled against already-compromised environments without requiring a new install. The campaign pre-staged benign versions of @capibar.chat/ui-kit and @sber-ecom-core/sberpay-widget on May 4, 2026 — 23 days before the malicious wave — to establish namespace presence and bypass registry age-based filters. All packages carried a shared hardcoded X-Secret header value (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) across all four accounts and all four waves, tying the entire campaign to a single operator.

The compromised packages collectively represent approximately 16 million weekly downloads spanning enterprise data visualization, charting, graph visualization, geospatial mapping, and spreadsheet rendering. The payload harvests the full AWS credential chain, Google Cloud, Azure, GitHub tokens, npm publish tokens, SSH keys, Kubernetes service account tokens, HashiCorp Vault tokens, Stripe keys, database connection strings, cryptocurrency wallets, and Claude AI API credentials. In GitHub Actions environments, the payload reads Runner.Worker process memory directly via /proc/[pid]/mem, recovering every masked secret in plaintext. A self-replicating worm component uses stolen npm tokens to automatically poison additional packages, extending the blast radius beyond the initial atool account compromise. Over 2,500 attacker-created GitHub repositories are publicly visible, each representing a confirmed credential theft from a unique environment.

node-ipc has ~2M monthly downloads and is a foundational inter-process communication library across Node.js applications. The credential harvester targeted AWS, Azure, and GCP credentials, SSH keys, kubeconfig, GitHub CLI tokens, Terraform state, and Claude AI API keys, expanding the attack surface from cloud infrastructure to the AI developer toolchain. The use of Google DNS for exfiltration was designed to bypass local DNS monitoring.

Malicious lifecycle hooks exfiltrated GitHub tokens, npm publish credentials, AWS/Azure/GCP keys, Kubernetes configs, and environment variables from developer machines and CI/CD runners. The malware persists long after the infected package is removed: by writing itself into .claude/settings.json and .vscode/tasks.json, it re-executes every time a developer uses Claude Code or opens VS Code in the affected project directory. npm uninstall does not fix this. The novel deadman's switch makes standard incident response ineffective: rotating compromised credentials — the first thing any security team does — triggers automatic deletion of the developer's entire home directory, turning remediation into a destructive event. This is the first documented npm worm to ship with valid, attacker-generated SLSA provenance. The malicious packages were signed by TanStack's own CI pipeline, meaning cryptographic provenance (a signal defenders rely on to distinguish legitimate packages from tampered ones) provided no protection here. The deliberate targeting of @mistralai, @uipath, and AI tooling broadly signals this campaign's focus on AI development pipelines.

intercom-client has 1.3M monthly downloads and is embedded in customer communication stacks across thousands of companies. The credential harvester targeted Kubernetes configs, Vault secrets, and cloud credentials from AWS, GCP, and Azure, meaning a single infected install could expose an organization's entire cloud infrastructure. The attack also erodes trust in Intercom's SDK as a dependency, forcing security teams to audit and re-approve a package many had long considered safe.

Developer secrets, API keys, and database credentials stored in environment files were exfiltrated. The maintainer had previously demanded $10,000 from TanStack, suggesting extortion as a motive. TanStack has filed trademark infringement documents.

The compromised packages collectively receive 2.25M+ monthly downloads and are core components of SAP's Cloud Application Programming Model. Developer credentials, GitHub/npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes were harvested. SAP superseded all four packages with clean releases within ~4 hours.

Elementary-data has 1.1M monthly downloads. The signed, legitimate-looking release made detection difficult. Any developer who installed v0.23.3 should assume all local credentials were exfiltrated.

Axios has 300M+ monthly downloads and is one of the most-used npm packages globally. Microsoft attributed the attack to North Korean state actors, elevating it to a national security concern. Full extent of damage not known.

Telnyx SDK has 790K monthly downloads. The malware harvested environment variables, SSH keys, cloud credentials, Kubernetes data, Docker configs, and database passwords from affected systems.

LiteLLM has 280M+ monthly downloads and is widely used in AI/ML pipelines. Any credentials on affected machines should be considered compromised, including cloud provider tokens and database passwords.

Compromised developer machines had npm tokens, cloud credentials, SSH keys, and crypto wallet data (MetaMask, Phantom, Solana, Ethereum) exfiltrated. C2 built on ICP blockchain cannot be taken down through conventional means.

Compromised credentials became the launchpad for CanisterWorm, LiteLLM, and Telnyx attacks. It’s been confirmed that dozens of companies have had their data stolen, including Mercor AI and Cisco that had theirs held for ransom.

Funds were drained from affected wallets. This was dYdX's third supply chain incident (following a 2022 npm compromise and 2024 DNS hijack), severely eroding developer trust in the protocol's distribution channels.

The cryptominer functioned as a general-purpose loader capable of fetching arbitrary second-stage code. Available on PyPI for 7 days (Jan 17-24) before removal. Spoofed metadata made it appear identical to the official library.

Trust Wallet was breached in Dec 2025, and $8.5M in crypto was drained from 2,520 wallets. Nearly 300K credentials (3,760 confirmed valid) were publicly exposed, with Zapier, Postman, and PostHog suffering brand damage.

Malicious code reached ~10% of cloud environments within the 2-hour exposure window. chalk (299M/week) and debug (47M/week) are among the most foundational packages in the JavaScript ecosystem. Full list of impacted packages totaled 2.6B+ combined weekly downloads.

More than 11,500 developers installed this malicious package with zero documentation or description. Three-year dwell time demonstrates how long malicious packages can survive on public registries without community detection. Attackers gained access to Discord bot tokens, user data, and server information.

Initially targeted Coinbase before expanding broadly. Affected repositories led to a cascade of credential-based follow-on attacks.