Find notable cyber news and cases, enriched with sources, timelines, and signals.

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First reported
Last updated
Happening score
H score 13
1 unique sources, 1 articles

Summary

Hide ▲

The inactive maintainer account 'atiertant' for node-ipc was compromised, enabling malicious package releases that could steal credentials from downstream installations. Researchers confirmed [email protected], [email protected], and [email protected] as malicious. The compromise turned a trusted npm publishing path into a supply-chain risk for developers using the package.

Related Happenings

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Timeline

  1. 15.05.2026 20:10 2 articles · 1mo ago

    Compromised node-ipc publishing account enables malicious npm releases

    Initial Disclosure

    The inactive maintainer account 'atiertant' for node-ipc was compromised, allowing newly published npm versions [email protected], [email protected], and [email protected] to carry credential-stealing malware that runs from node-ipc.cjs and was detected by application security researchers.

    Show sources