Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Malicious npm packages @automagik/genie and pgserve self-propagating malware

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

Malicious npm packages are distributing credential-stealing malware that runs during installation and self-propagates across developer ecosystems, raising supply-chain compromise risk. The activity involves @automagik/genie and pgserve, both tied to developer tooling workflows. The malware also reaches toward PyPI propagation and uses blockchain-hosted C2 infrastructure. It can expose cloud credentials, CI/CD tokens, SSH keys, and wallet data, broadening the impact beyond a single package compromise.

Related Happenings

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 24.04.2026 11:10 2 articles · 1mo ago

    Socket identifies malicious npm packages

    Initial Disclosure

    Socket identified malicious npm packages affecting developer tooling workflows, including multiple versions of @automagik/genie and pgserve, that execute during installation, steal credentials and secrets, harvest cloud credentials, CI/CD tokens, SSH keys, .npmrc data, browser-stored information, and wallet data, and attempt self-propagation by republishing compromised packages and extending toward PyPI via .pth file injection.

    Show sources
    Open in new tab