Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Npmjs[.]help phishing campaign targeting package maintainers

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign using support [at] npmjs [dot] help is targeting package maintainers and developers, trying to steal credentials and enable upstream package compromise. The same lure was reused across multiple recipients, expanding the operation beyond a single account takeover. The fake 2FA update notice and September 10, 2025 lock threat increase the chance of successful credential theft.

Related Happenings

WAVESHAPER.V2 trojanized Axios npm packages

Malware Activity
First: 03.04.2026 14:04 Last: 03.04.2026 14:04 Sources 1

About this happening: The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...

Open Happening

UNC1069 Axios npm supply-chain campaign targeting build pipelines

Campaign
First: 01.04.2026 10:44 Last: 01.04.2026 10:44 Sources 1

About this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.

Open Happening

GlassWorm multi-stage data-theft malware evolution

Malware Activity
First: 25.03.2026 16:26 Last: 25.03.2026 16:26 Sources 1

About this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...

Open Happening

CanisterWorm self-propagation across npm packages

Malware Activity
First: 21.03.2026 09:28 Last: 21.03.2026 09:28 Sources 1

About this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...

Open Happening

PhantomRaven npm supply-chain campaign

Campaign
First: 11.03.2026 19:09 Last: 11.03.2026 19:09 Sources 1

About this happening: **PhantomRaven** is an active **npm supply-chain campaign** that began in **August 2025** and has grown to **126 npm libraries** with **more than 86,000 installs**. The packages h...

Open Happening

Timeline

  1. 08.09.2025 19:47 2 articles · 8mo ago

    Phishing campaign compromises npm maintainer and injects malware into packages

    Initial Disclosure

    A phishing campaign using support [at] npmjs [dot] help impersonated npm security and targeted package maintainers and developers, including Josh Junon (qix). The account takeover enabled malware injection into npm packages with over 2.6 billion weekly downloads; the malicious code in packages such as debug acts as a browser-based interceptor that hooks fetch, XMLHttpRequest, and wallet APIs to rewrite crypto and web3 payment destinations to attacker-controlled addresses.

    Show sources
    Open in new tab