Malicious NuGet supply-chain campaign targeting crypto tools and Google Ads OAuth
Campaign
Summary
Hide ▲
Show ▼
14 malicious NuGet packages were published to impersonate crypto tooling and redirect funds or steal private keys, seed phrases, and Google Ads OAuth data, creating a supply-chain risk for developers. The packages were uploaded from eight different accounts and were designed to activate when installed and embedded in other applications. Some payloads redirected transfers to attacker-controlled wallets when the amount exceeded $100. The campaign dates back to July 2025.
Related Happenings
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
Incident
H score13
First: 01.06.2026 20:40
Last: 01.06.2026 20:40
Sources 1
About this happening:
**Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
IncidentAbout this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
H score44
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Ghost campaign malicious npm supply-chain operation
Campaign
H score38
First: 24.03.2026 16:30
Last: 24.03.2026 16:30
Sources 1
About this happening:
A **malicious npm supply-chain campaign** dubbed **"Ghost campaign"** is using **fake installation logs** to conceal malware delivery, increasing the chance that package installer...
Ghost campaign malicious npm supply-chain operation
CampaignAbout this happening: A **malicious npm supply-chain campaign** dubbed **"Ghost campaign"** is using **fake installation logs** to conceal malware delivery, increasing the chance that package installer...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
H score31
First: 14.02.2026 00:35
Last: 14.02.2026 00:35
Sources 1
About this happening:
**Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Graphalgo malicious npm and PyPI RAT downloader packages
Malware ActivityAbout this happening: **Graphalgo** is a continuing **malware-delivery operation** that uses **fake companies**, **fake job interviews**, and **coding tests** to lure **JavaScript and Python developers...
Latest development: 29.04.2026 17:43
North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
Timeline
-
22.12.2025 18:28 2 articles · 6mo ago
ReversingLabs discloses malicious NuGet packages targeting crypto tools and Google Ads OAuth
Campaign Scope UpdateReversingLabs disclosed 14 malicious NuGet packages published from eight different accounts that impersonate Nethereum and other cryptocurrency-related tools, redirect transaction funds to attacker-controlled wallets when transfers exceed $100, or exfiltrate private keys, seed phrases, and Google Ads OAuth data. The campaign dates back to July 2025 and uses package installation and embedding in developer applications to trigger the payloads.
Show sources
- Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens — thehackernews.com — 22.12.2025 18:28
- Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens — thehackernews.com — 22.12.2025 18:28