NPM package supply-chain compromise with crypto-intercepting malware
Malware Activity
Summary
Hide ▲
Show ▼
A brief NPM supply-chain compromise injected malicious software into at least 18 JavaScript packages, creating a crypto-payment hijacking risk for websites and apps that depend on them. The packages are downloaded more than two billion times each week, so the tampering had potentially massive downstream reach. The payload intercepted browser cryptocurrency activity, rewrote wallet interactions, and redirected payments to attacker-controlled accounts. The compromise was reportedly contained within hours, but it showed how a single maintainer phishing hit can ripple across the software ecosystem.
Related Happenings
RoshniNaveenaS's account hit by network compromise
Incident
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...
RoshniNaveenaS's account hit by network compromise
IncidentAbout this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware Activity
First: 24.04.2026 11:10
Last: 24.04.2026 11:10
Sources 1
About this happening:
**Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware ActivityAbout this happening: **Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
WAVESHAPER.V2 trojanized Axios npm packages
Malware Activity
First: 03.04.2026 14:04
Last: 03.04.2026 14:04
Sources 1
About this happening:
The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...
WAVESHAPER.V2 trojanized Axios npm packages
Malware ActivityAbout this happening: The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...
UNC1069 Axios npm supply-chain campaign targeting build pipelines
Campaign
First: 01.04.2026 10:44
Last: 01.04.2026 10:44
Sources 1
About this happening:
The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...
UNC1069 Axios npm supply-chain campaign targeting build pipelines
CampaignAbout this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...
Latest development: 13.04.2026 20:39
OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.
TeamPCP supply-chain credential-exploitation campaign
Campaign
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
TeamPCP supply-chain credential-exploitation campaign
CampaignAbout this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
Latest development: 12.05.2026 01:03
TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.
Timeline
-
09.09.2025 01:53 1 articles · 8mo ago
Phished maintainer account pushes crypto-intercepting NPM malware
Exploitation ObservedA phished maintainer account was used to push malicious updates into at least 18 popular JavaScript packages on NPM, and the injected code silently intercepted browser cryptocurrency activity, manipulated wallet interactions, and rewrote payment destinations to attacker-controlled accounts.
Show sources
- 18 Popular Code Packages Hacked, Rigged to Steal Crypto — krebsonsecurity.com — 09.09.2025 01:53
-
09.09.2025 01:53 2 articles · 8mo ago
Aikido flags malicious code in at least 18 NPM libraries
Initial DisclosureAikido's monitoring systems found malicious code in at least 18 widely used NPM libraries, notified maintainer Josh Junon through Bsky, and Junon confirmed he had been phished while the compromise was quickly contained within hours.
Show sources
- 18 Popular Code Packages Hacked, Rigged to Steal Crypto — krebsonsecurity.com — 09.09.2025 01:53
- 18 Popular Code Packages Hacked, Rigged to Steal Crypto — krebsonsecurity.com — 09.09.2025 01:53