Npm supply-chain worm that steals publishing tokens and self-propagates
Malware Activity
Summary
Hide ▲
Show ▼
A new npm supply-chain worm is stealing developer publishing tokens and using them to self-propagate through republished packages, creating the risk of broader compromise across software distribution. The malicious code can also exfiltrate API keys, SSH keys, and other secrets from developer environments. StepSecurity says the same behavior can extend into PyPI when Python credentials are present.
Related Happenings
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware Activity
H score37
First: 08.07.2026 22:54
Last: 08.07.2026 22:54
Sources 1
About this happening:
Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware ActivityAbout this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Deps credential stealer in hijacked Arch AUR builds
Malware Activity
H score3
First: 12.06.2026 22:24
Last: 12.06.2026 22:24
Sources 1
About this happening:
**Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
Deps credential stealer in hijacked Arch AUR builds
Malware ActivityAbout this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
Timeline
-
22.04.2026 15:57 2 articles · 2mo ago
Npm supply-chain worm that steals publishing tokens and self-propagates
Initial DisclosureThe first malicious **pgserve** releases appeared on **April 21, 2026 at 22:14 UTC**, followed by additional infected versions later the same day. The earliest phase centered on compromised publishing tokens that let the worm republish tainted packages immediately.
Show sources
- New npm supply-chain attack self-spreads to steal auth tokens — www.bleepingcomputer.com — 22.04.2026 15:57
- New npm supply-chain attack self-spreads to steal auth tokens — www.bleepingcomputer.com — 22.04.2026 15:57