// #npm
12 articles
Miasma / Shai Hulud Supply Chain Campaign: 100+ npm and PyPI Packages Compromised Including Red Hat Namespace
Security researchers have attributed a coordinated software supply chain attack to a threat cluster tracked as Miasma (also Shai Hulud), which compromised over 100 packages across npm and PyPI by stealing publisher credentials and injecting malicious code. The campaign reached the official Red Hat npm namespace, exposing organisations that rely on internal package mirror strategies as a security control.
CISA Adds Three Developer Toolchain Supply-Chain Attacks to KEV — DAEMON Tools, TanStack Query, Nx Console Compromised
CISA added three software supply-chain vulnerabilities to the Known Exploited Vulnerabilities catalogue on 27 May: CVE-2026-8398 (DAEMON Tools signed installer trojanised), CVE-2026-45321 (TanStack Query malicious npm package), and CVE-2026-48027 (Nx Console VS Marketplace extension backdoored). All three are attributed to TeamPCP's 'Mini Shai-Hulud' campaign targeting developer workstations.
TeamPCP 'Mini Shai-Hulud': Inside the Developer Toolchain Attack Campaign Now on CISA KEV
TeamPCP's simultaneous compromise of three developer toolchain components — a code-signed installer, an npm package, and a VS Code extension — follows a refined methodology the group has been developing across multiple 2026 campaigns. The technical approach explains why these attacks reach environments that are otherwise well-defended.
TanStack npm Supply Chain Attack: GitHub Actions OIDC Token Hijack Used to Publish 84 Malicious Package Versions
Attackers exploited a GitHub Actions misconfiguration in the TanStack project to publish 84 malicious versions of popular React ecosystem packages to the npm registry. The attack chained a Pwn Request misconfiguration, workflow cache poisoning, and runtime OIDC token theft to operate under TanStack's trusted publisher identity.
pnpm 11 Defaults to 24-Hour Package Age Minimum — Blocking Automated Post-Publish Supply Chain Attacks
pnpm 11, released this week, introduces a package quarantine feature that by default blocks installation of any npm package published within the past 24 hours. The control targets the automated post-publish compromise pattern used by TeamPCP, CanisterSprawl, and similar supply chain threat actors who publish malicious package versions and immediately trigger mass installation before defenders can respond. It is the most substantive supply-chain-defensive default configuration added to a package manager since npm's provenance attestation.
QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
DPRK Scales npm Malware Campaign With AI-Generated Code, Fake Tech Firms, and Remote RAT Deployment
North Korean threat actors have launched a new wave of npm supply chain attacks using AI-generated malicious package code that bypasses static analysis tools, fake software development firms as cover identities, and a multi-stage RAT that exfiltrates source code, cryptographic keys, and credentials from developer workstations. The campaign targets blockchain, DeFi, and fintech developers — organisations in these sectors should audit npm dependencies and developer machine security.
Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials
Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.
DPRK's Sapphire Sleet Backdoors Axios npm Package: 100 Million Weekly Downloads at Risk
North Korea's Sapphire Sleet compromised an axios npm maintainer account on March 31, publishing backdoored versions 1.14.1 and 0.30.4 that delivered a cross-platform RAT during a three-hour exposure window. Axios has approximately 100 million weekly downloads. CISA issued Advisory AA26-110A on April 20 — organisations that ran npm installs during the window should treat their CI/CD pipeline as compromised and rotate all secrets immediately.
CanisterSprawl: Self-Propagating npm Worm Steals Developer Credentials and Re-Infects Package Ecosystems
Researchers discovered CanisterSprawl, a self-propagating npm supply chain worm attributed to TeamPCP that compromised at least 16 packages including pgserve and @automagik/genie. A postinstall hook harvests npm tokens, cloud credentials, SSH keys, and AI tool configs, exfiltrating to a blockchain canister before using stolen tokens to inject the worm into every other package owned by the compromised developer. Organisations should audit postinstall scripts and rotate all credentials from affected development environments.
TeamPCP Supply Chain Campaign Expands to npm and Docker Hub — Bitwarden CLI and Checkmarx KICS Both Backdoored
The TeamPCP supply chain threat group has extended its campaign beyond GitHub Actions and PyPI to poison the @bitwarden/cli npm package and overwrite Checkmarx KICS Docker images and VS Code extensions. The campaign now spans four developer distribution channels across six weeks, deploying a self-propagating worm that exfiltrates SSH keys, cloud credentials, and MCP configuration files from compromised developer environments.
DPRK's Contagious Interview Campaign Spreads 1,700+ Malicious Packages Across Five Ecosystems
North Korea's UNC1069 (BlueNoroff) threat group has expanded its Contagious Interview supply chain operation to five package registries — npm, PyPI, Go Modules, crates.io, and Packagist — publishing more than 1,700 malicious packages that deliver a cross-platform infostealer and RAT. The operation is the largest coordinated open-source supply chain attack attributed to a nation-state actor.
Commentary tagged #npm
Developer Toolchains Are the New Perimeter — and the Industry Has Not Accepted It
Simultaneous CISA KEV additions for three developer toolchain compromises in one campaign makes the case explicitly: the software supply chain attack surface runs through the tools developers use, not just the code they write. The security industry is still catching up.
CipherWatch Editorial
Security Intelligence Platform
Developer Credentials Are the New Supply Chain Entry Point and the Industry Has Not Caught Up
QLNX's Linux RAT specifically harvests npm tokens, PyPI credentials, and cloud provider keys to enable malicious package publishing under the compromised developer's identity. This is not a new threat — it is a threat that has been escalating systematically for three years while the defensive response has been fragmented. The combination of credential-based package publishing and minimal post-publish scrutiny makes the developer credential the most valuable initial access target in software supply chain attacks.
CipherWatch Editorial
Security Intelligence Platform
AI Didn't Make Attackers Smarter — It Removed the Barrier That Was Keeping Them Small
DPRK's AI-generated npm malware campaign is not remarkable because AI made it more sophisticated. It's remarkable because AI let a small team produce something that would previously have required many more people to build and maintain. The scale constraint on supply chain attacks has just changed fundamentally.
CipherWatch Editorial
Security Intelligence Platform
Lockfiles Don't Protect You When the Maintainer Is the Threat
Three npm supply chain attacks in a single week — Axios, @bitwarden/cli, and CanisterSprawl — have been met with the same industry response: update your lockfile. This is wrong. When the original maintainer account is compromised, a new legitimate-signed version is published, and lockfiles pin to whatever is current, the entire model breaks down. The industry is treating a trust infrastructure failure as a dependency hygiene problem.
CipherWatch Editorial
Security Intelligence Platform
TeamPCP Has Now Hit Every Developer Distribution Channel. The Pipeline Is the Perimeter.
In six weeks, one supply chain threat group has successfully backdoored GitHub Actions, PyPI, npm, Docker Hub, and the VS Code Marketplace. The security industry's response has been to treat each incident as a separate patching problem. It isn't. It's a systematic demonstration that the developer distribution stack has no defence-in-depth, and that the security controls the industry has built — SCA, SBOM, SAST — operate at entirely the wrong layer.
CipherWatch Editorial
Security Intelligence Platform