MUT-4831 Vidar Stealer npm supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
A MUT-4831 supply-chain campaign pushed 17 npm packages that masqueraded as SDKs and silently delivered Vidar Stealer, expanding theft risk through the npm registry. The packages were downloaded at least 2,240 times before takedown, showing measurable reach before removal. The operation relied on postinstall scripts and external ZIP downloads to execute the payload.
Related Happenings
Packagist package.json hook supply chain attack campaign
Campaign
First: 23.05.2026 19:07
Last: 23.05.2026 19:07
Sources 1
About this happening:
A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Packagist package.json hook supply chain attack campaign
CampaignAbout this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
ZiChatBot PyPI supply-chain malware delivery
Malware Activity
First: 07.05.2026 12:20
Last: 07.05.2026 12:20
Sources 1
About this happening:
A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
ZiChatBot PyPI supply-chain malware delivery
Malware ActivityAbout this happening: A **PyPI supply-chain attack** used **three packages** to quietly deliver **ZiChatBot**, creating a cross-platform malware risk for **Windows and Linux** installs. The packages we...
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Timeline
-
07.11.2025 08:48 1 articles · 6mo ago
MUT-4831 Vidar packages first flagged
Detection Ioc UpdateSecurity researchers first flagged malicious npm packages tied to MUT-4831 on October 21, 2025; the packages masqueraded as benign SDKs and were engineered to install Vidar Stealer through a package-install chain.
Show sources
- Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities — thehackernews.com — 07.11.2025 08:48
-
07.11.2025 08:48 1 articles · 6mo ago
MUT-4831 uploads continue on npm
Campaign Scope UpdateAdditional uploads tied to the same Vidar Stealer supply-chain campaign were recorded on October 22, 2025, extending the malicious npm registry activity under the same cluster.
Show sources
- Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities — thehackernews.com — 07.11.2025 08:48
-
07.11.2025 08:48 1 articles · 6mo ago
MUT-4831 adds more npm uploads
Campaign Scope UpdateFurther uploads linked to the same malicious npm package cluster were recorded on October 26, 2025, keeping the Vidar Stealer delivery activity active before takedown.
Show sources
- Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities — thehackernews.com — 07.11.2025 08:48
-
07.11.2025 08:48 2 articles · 6mo ago
Vidar Stealer npm campaign disclosed
Initial DisclosureDatadog Security Labs disclosed 17 npm packages that masqueraded as SDKs but used postinstall scripts to download ZIP archives from bullethost[.]cloud and execute Vidar Stealer, marking the first time the stealer had been distributed via the npm registry.
Show sources
- Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities — thehackernews.com — 07.11.2025 08:48
- Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities — thehackernews.com — 07.11.2025 08:48