NPM maintainer password-reset phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A password-reset phishing campaign compromised NPM maintainer access and pushed malicious package updates into widely used software dependencies. The operation reached roughly 10% of cloud environments during a two-hour download window, amplifying downstream risk across JavaScript and Node.js systems. The payload redirected Ethereum and Solana signing requests to attacker-controlled wallets, turning trusted packages into crypto-theft tools. The same phishing activity also affected the DuckDB maintainer account.
Related Happenings
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware Activity
First: 24.04.2026 11:10
Last: 24.04.2026 11:10
Sources 1
About this happening:
**Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
Malicious npm packages @automagik/genie and pgserve self-propagating malware
Malware ActivityAbout this happening: **Malicious npm packages** are distributing **credential-stealing malware** that runs during installation and **self-propagates** across developer ecosystems, raising supply-chain...
Npm supply-chain worm that steals publishing tokens and self-propagates
Malware Activity
First: 22.04.2026 15:57
Last: 22.04.2026 15:57
Sources 1
About this happening:
A **new npm supply-chain worm** is stealing **developer publishing tokens** and using them to **self-propagate** through republished packages, creating the risk of broader comprom...
Npm supply-chain worm that steals publishing tokens and self-propagates
Malware ActivityAbout this happening: A **new npm supply-chain worm** is stealing **developer publishing tokens** and using them to **self-propagate** through republished packages, creating the risk of broader comprom...
GlassWorm multi-stage data-theft malware evolution
Malware Activity
First: 25.03.2026 16:26
Last: 25.03.2026 16:26
Sources 1
About this happening:
The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm multi-stage data-theft malware evolution
Malware ActivityAbout this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Timeline
-
10.09.2025 20:56 2 articles · 8mo ago
Password-reset phishing compromises NPM maintainer Josh Junon and pushes crypto-stealing updates
Initial DisclosurePassword-reset phishing against NPM maintainer Josh Junon (qix) led to malicious updates for chalk and degub-js, and the same campaign also affected DuckDB’s maintainer account. The injected browser payload redirected Ethereum and Solana signing requests to attacker-controlled wallet addresses, while Wiz said the malicious versions reached 1 in 10 cloud environments during a 2-hour window before removal.
Show sources
- Hackers left empty-handed after massive NPM supply-chain attack — www.bleepingcomputer.com — 10.09.2025 20:56
- Hackers left empty-handed after massive NPM supply-chain attack — www.bleepingcomputer.com — 10.09.2025 20:56