CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

First reported
Last updated
5 unique sources, 16 articles

Summary

Hide ▲

The *SANDWORM_MODE* campaign, a new iteration of the Shai-Hulud supply chain worm, has expanded its attack surface by leveraging 19 malicious npm packages (e.g., `claud-code`, `crypto-locale`, `secp256`) to harvest credentials, cryptocurrency keys, and API tokens. Published under aliases *official334* and *javaorg*, the malware retains Shai-Hulud’s self-propagating capabilities while introducing novel techniques: **GitHub API exfiltration with DNS fallback**, **hook-based persistence**, **SSH propagation**, and **MCP server injection** targeting AI coding assistants (Claude Code, VS Code Continue, etc.). The attack also targets **LLM API keys** (Anthropic, OpenAI, Mistral, etc.) and includes a **polymorphic engine** (currently inactive) for evasion via Ollama/DeepSeek Coder. A two-stage payload delays deeper harvesting (password managers, worm propagation) for 48+ hours, with a destructive wiper routine as a fallback. This follows the *Sha1-Hulud* wave (November–December 2025), which exposed **400,000 secrets** across **30,000 GitHub repositories** via **800+ trojanized npm packages**, and the *PackageGate* vulnerabilities (January 2026) that bypassed npm’s `--ignore-scripts` defenses. Concurrently, unrelated but similarly severe threats include the `buildrunner-dev` and `eslint-verify-plugin` packages deploying **Pulsar RAT/Mythic C2 agents**, and a fake VS Code Solidity extension (`solid281`) dropping **ScreenConnect or reverse shells**. Researchers warn of escalating risks to developer environments, CI/CD pipelines, and AI-assisted coding tools, urging **immediate credential rotation**, **dependency audits**, and **hardened access controls**.

Timeline

  1. 23.02.2026 12:20 1 articles · 1d ago

    Concurrent Malicious npm Packages Deploy RATs and Reverse Shells

    Researchers identified two additional malicious npm packages, `buildrunner-dev` and `eslint-verify-plugin`, deploying advanced post-exploitation tooling. `buildrunner-dev` installs **Pulsar RAT**, an open-source remote access trojan delivered via a PNG image hosted on `i.ibb[.]co`, targeting Windows, macOS, and Linux systems. `eslint-verify-plugin` masquerades as a legitimate ESLint utility but deploys a **multi-stage infection chain**: on Linux, it installs a **Poseidon agent** for the Mythic C2 framework, while on macOS, it executes **Apfell** (a JXA agent) to create a new admin user and exfiltrate system data (Chrome bookmarks, iCloud Keychain, screenshots, etc.). Separately, a rogue VS Code extension, `solid281`, impersonates the official Solidity extension but drops **ScreenConnect** (Windows) or a **Python reverse shell** (macOS/Linux) upon startup. These discoveries highlight the broadening scope of supply chain attacks beyond credential theft, targeting full-system compromise and lateral movement within developer environments.

    Show sources
    Open in new tab
  2. 26.01.2026 16:02 1 articles · 29d ago

    PackageGate Vulnerabilities Bypass NPM's Shai-Hulud Defenses via Git Dependencies

    Researchers at Koi Security discovered *PackageGate*, a collection of vulnerabilities in JavaScript package managers (npm, pnpm, Bun, vlt) that allow attackers to bypass security measures like the '--ignore-scripts' flag. The flaws enable malicious '.npmrc' files in Git dependencies to override the git binary path, achieving full code execution during installation. Bun patched the issue in version 1.3.5, while pnpm addressed two CVEs (CVE-2025-69263 and CVE-2025-69264). NPM, however, closed the report as "works as expected," arguing that users must vet package content themselves—despite the bug bounty scope explicitly covering script execution bypasses. The vulnerabilities are not theoretical: proof-of-concept exploits creating reverse shells have been observed. GitHub, npm’s operator, acknowledged ongoing registry scans for malware and urged adoption of trusted publishing and granular access tokens with enforced 2FA. The findings underscore persistent risks in npm’s security model, particularly for Git-based dependencies, which could enable attackers to circumvent post-Shai-Hulud mitigations.

    Show sources
    Open in new tab
  3. 02.12.2025 21:06 1 articles · 2mo ago

    Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

    The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM registry and publishing stolen data in 30,000 GitHub repositories. Although just about 10,000 of the exposed secrets were verified as valid by the open-source TruffleHog scanning tool, researchers at cloud security platform Wiz say that more than 60% of the leaked NPM tokens were still valid as of December 1st. The Shai-Hulud threat emerged in mid-September, compromising 187 NPM packages with a self-propagating payload that identified account tokens using TruffleHog, injected a malicious script into the packages, and automatically published them on the platform. In the second attack, the malware impacted over 800 packages (counting all infected versions of a package) and included a destructive mechanism that wiped the victim’s home directory if certain conditions were met. The malware used TruffleHog without the 'only-verified' flag, meaning that the 400,000 exposed secrets match a known format and may not be valid or usable anymore. Analysis of 24,000 environment.json files showed that roughly half of them were unique, with 23% corresponding to developer machines, and the rest coming from CI/CD runners and similar infrastructure. Most of the infected machines, 87% of them, are Linux systems, while most infections (76%) were on containers. Regarding the CI/CD platform distribution, GitHub Actions led by far, followed by Jenkins, GitLab CI, and AWS CodeBuild. The top package was @postman/[email protected], followed by @asyncapi/[email protected]. These two packages together accounted for more than 60% of all the infections. Wiz believes that the perpetrators behind Shai-Hulud will continue to refine and evolve their techniques, and predicts that more attack waves will emerge in the near future, potentially leveraging the massive credential trove harvested so far.

    Show sources
    Open in new tab
  4. 24.11.2025 15:03 9 articles · 3mo ago

    Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

    The second wave of the Shai-Hulud attack, *Sha1-Hulud*, compromised over 800 npm packages and exposed 400,000 raw secrets across 30,000 GitHub repositories, with 60% of leaked NPM tokens remaining valid as of December 2025. The malware introduced a preinstall script (setup_bun.js) that installed the Bun runtime to evade Node.js-focused defenses, registered infected machines as self-hosted GitHub runners, and exfiltrated credentials via dynamically named repositories. Analysis revealed 87% of infections occurred on Linux systems, predominantly in containers, with GitHub Actions being the most exploited CI/CD platform. *Update*: Subsequent research identified *PackageGate*, a set of vulnerabilities in npm, pnpm, Bun, and vlt that allow attackers to bypass the '--ignore-scripts' defense via Git dependencies. Malicious '.npmrc' files can override the git binary path, enabling arbitrary code execution even when scripts are disabled. While Bun, pnpm, and vlt patched these flaws, npm rejected the vulnerability report, citing user responsibility for package vetting. Proof-of-concept exploits demonstrate active abuse of this technique. *Update (February 2026)*: A third wave, *SANDWORM_MODE*, deployed 19 new malicious packages (e.g., `claud-code`, `secp256`) under publisher aliases *official334* and *javaorg*. This iteration expands credential theft to include **cryptocurrency keys**, **LLM API tokens** (Anthropic, OpenAI, Mistral, etc.), and **AI coding assistant compromise** via MCP server injection. The attack uses a two-stage payload with a 48-hour delay for deeper persistence, alongside a **polymorphic obfuscation engine** (currently inactive) and a **destructive wiper routine** triggered upon losing GitHub/npm access. Four sleeper packages (e.g., `ethres`, `iru-caches`) were also identified as part of the campaign infrastructure. *New Development*: The SANDWORM_MODE campaign spreads via **typosquatting packages** (e.g., `[email protected]` mimicking `supports-color`) and injects **rogue MCP servers** into AI assistant configurations (Claude Desktop, Cursor, VS Code Continue). The malware uses **layered obfuscation** (base64, zlib, AES-256-GCM) and a **three-channel exfiltration cascade**: Cloudflare Worker endpoints, private GitHub repositories, and DNS tunneling. Cloudflare, npm, and GitHub have mitigated the infrastructure, but developers are urged to rotate credentials and audit repositories for unauthorized modifications.

    Show sources
    Open in new tab
  5. 16.09.2025 23:02 2 articles · 5mo ago

    Shai-Hulud Self-Replication Mechanism Detailed

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab
  6. 16.09.2025 08:00 4 articles · 5mo ago

    Shai-Hulud Attack Compromises Over 40 npm Packages

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab
  7. 06.09.2025 17:11 1 articles · 5mo ago

    Nx Team Publishes Root Cause Analysis and Adopts New Security Measures

    The Nx team published a root cause analysis detailing the pull request title injection and insecure use of pull_request_target. Nx has adopted NPM's Trusted Publisher model and added manual approval for PR-triggered workflows to prevent future compromises.

    Show sources
    Open in new tab
  8. 28.08.2025 13:36 5 articles · 6mo ago

    Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Legitimate dYdX-related packages on npm and PyPI have been compromised to distribute malicious versions that steal cryptocurrency wallet credentials and execute remote access trojans (RATs). The compromised packages target JavaScript and Python ecosystems, with different payloads for each. The attack is suspected to involve developer account compromise, allowing threat actors to push malicious updates using legitimate credentials. The affected packages include @dydxprotocol/v4-client-js (npm) versions 3.4.1, 1.22.1, 1.15.2, and 1.0.31, and dydx-v4-client (PyPI) version 1.1.5post1. The malicious code targets core registry files and uses obfuscation techniques to evade detection. Users are advised to isolate affected machines, move funds to new wallets from clean systems, and rotate all API keys and credentials. This incident highlights a persistent pattern of supply chain attacks targeting dYdX-related assets.

Open in new tab

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required.

Open in new tab

454,000+ Malicious Open Source Packages Discovered in 2026

Researchers reported a surge in malicious open source packages, with 454,648 new malicious packages discovered in 2026. These packages are increasingly used in sustained, industrialized campaigns, often state-sponsored, targeting developer machines and CI/CD pipelines. The threat landscape includes repository abuse, potentially unwanted apps, and multi-stage attacks involving host information exfiltration, droppers, and backdoors. Additionally, AI-assisted development is exacerbating the risk by recommending non-existent versions and failing to check for malicious indicators.

Open in new tab

Critical Grist-Core Vulnerability Enables RCE via Spreadsheet Formulas

A critical vulnerability in Grist-Core, an open-source relational spreadsheet-database, allows remote code execution (RCE) through malicious spreadsheet formulas. The flaw, codenamed Cellbreak (CVE-2026-24002, CVSS score: 9.1), enables attackers to execute OS commands or host-runtime JavaScript, collapsing the boundary between cell logic and host execution. The issue stems from a sandbox escape in the Pyodide sandboxing method, which is used for Python formula execution. Grist has released version 1.7.9 to address the vulnerability, and users are advised to update immediately. The vulnerability was uncovered by Cyera Research Labs and affects both managed SaaS and self-hosted environments, increasing the impact of the flaw. Grist adoption includes government, higher-education organizations, and commercial teams in marketing and game design.

Open in new tab