Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious npm packages @automagik/genie and pgserve self-propagating malware

Malware Activity
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Malicious npm packages are distributing credential-stealing malware that runs during installation and self-propagates across developer ecosystems, raising supply-chain compromise risk. The activity involves @automagik/genie and pgserve, both tied to developer tooling workflows. The malware also reaches toward PyPI propagation and uses blockchain-hosted C2 infrastructure. It can expose cloud credentials, CI/CD tokens, SSH keys, and wallet data, broadening the impact beyond a single package compromise.

Related Happenings

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...

Timeline

  1. 24.04.2026 11:10 2 articles · 2mo ago

    Socket identifies malicious npm packages

    Initial Disclosure

    Socket identified malicious npm packages affecting developer tooling workflows, including multiple versions of @automagik/genie and pgserve, that execute during installation, steal credentials and secrets, harvest cloud credentials, CI/CD tokens, SSH keys, .npmrc data, browser-stored information, and wallet data, and attempt self-propagation by republishing compromised packages and extending toward PyPI via .pth file injection.

    Show sources