Npm supply-chain worm that steals publishing tokens and self-propagates
Malware Activity
Summary
Hide ▲
Show ▼
A new npm supply-chain worm is stealing developer publishing tokens and using them to self-propagate through republished packages, creating the risk of broader compromise across software distribution. The malicious code can also exfiltrate API keys, SSH keys, and other secrets from developer environments. StepSecurity says the same behavior can extend into PyPI when Python credentials are present.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel-Lang PHP package supply-chain credential-stealing campaign
Campaign
First: 23.05.2026 12:51
Last: 23.05.2026 12:51
Sources 1
About this happening:
A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Laravel-Lang PHP package supply-chain credential-stealing campaign
CampaignAbout this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Timeline
-
22.04.2026 15:57 2 articles · 1mo ago
Npm supply-chain worm that steals publishing tokens and self-propagates
Initial DisclosureThe first malicious **pgserve** releases appeared on **April 21, 2026 at 22:14 UTC**, followed by additional infected versions later the same day. The earliest phase centered on compromised publishing tokens that let the worm republish tainted packages immediately.
Show sources
- New npm supply-chain attack self-spreads to steal auth tokens — www.bleepingcomputer.com — 22.04.2026 15:57
- New npm supply-chain attack self-spreads to steal auth tokens — www.bleepingcomputer.com — 22.04.2026 15:57