Your engineering team loves AI, and the bad guys do too

Malicious lifecycle hooks exfiltrated GitHub tokens, npm publish credentials, AWS/Azure/GCP keys, Kubernetes configs, and environment variables from developer machines and CI/CD runners. The malware persists long after the infected package is removed: by writing itself into .claude/settings.json and .vscode/tasks.json, it re-executes every time a developer uses Claude Code or opens VS Code in the affected project directory. npm uninstall does not fix this. The novel deadman's switch makes standard incident response ineffective: rotating compromised credentials — the first thing any security team does — triggers automatic deletion of the developer's entire home directory, turning remediation into a destructive event. This is the first documented npm worm to ship with valid, attacker-generated SLSA provenance. The malicious packages were signed by TanStack's own CI pipeline, meaning cryptographic provenance (a signal defenders rely on to distinguish legitimate packages from tampered ones) provided no protection here. The deliberate targeting of @mistralai, @uipath, and AI tooling broadly signals this campaign's focus on AI development pipelines.

intercom-client has 1.3M monthly downloads and is embedded in customer communication stacks across thousands of companies. The credential harvester targeted Kubernetes configs, Vault secrets, and cloud credentials from AWS, GCP, and Azure, meaning a single infected install could expose an organization's entire cloud infrastructure. The attack also erodes trust in Intercom's SDK as a dependency, forcing security teams to audit and re-approve a package many had long considered safe.

Developer secrets, API keys, and database credentials stored in environment files were exfiltrated. The maintainer had previously demanded $10,000 from TanStack, suggesting extortion as a motive. TanStack has filed trademark infringement documents.

The compromised packages collectively receive 2.25M+ monthly downloads and are core components of SAP's Cloud Application Programming Model. Developer credentials, GitHub/npm tokens, GitHub Actions secrets, and cloud secrets from AWS, Azure, GCP, and Kubernetes were harvested. SAP superseded all four packages with clean releases within ~4 hours.

Elementary-data has 1.1M monthly downloads. The signed, legitimate-looking release made detection difficult. Any developer who installed v0.23.3 should assume all local credentials were exfiltrated.

Axios has 300M+ monthly downloads and is one of the most-used npm packages globally. Microsoft attributed the attack to North Korean state actors, elevating it to a national security concern. Full extent of damage not known.

Telnyx SDK has 790K monthly downloads. The malware harvested environment variables, SSH keys, cloud credentials, Kubernetes data, Docker configs, and database passwords from affected systems.

LiteLLM has 280M+ monthly downloads and is widely used in AI/ML pipelines. Any credentials on affected machines should be considered compromised, including cloud provider tokens and database passwords.

Compromised developer machines had npm tokens, cloud credentials, SSH keys, and crypto wallet data (MetaMask, Phantom, Solana, Ethereum) exfiltrated. C2 built on ICP blockchain cannot be taken down through conventional means.

Compromised credentials became the launchpad for CanisterWorm, LiteLLM, and Telnyx attacks. It’s been confirmed that dozens of companies have had their data stolen, including Mercor AI and Cisco that had theirs held for ransom.

Funds were drained from affected wallets. This was dYdX's third supply chain incident (following a 2022 npm compromise and 2024 DNS hijack), severely eroding developer trust in the protocol's distribution channels.

The cryptominer functioned as a general-purpose loader capable of fetching arbitrary second-stage code. Available on PyPI for 7 days (Jan 17-24) before removal. Spoofed metadata made it appear identical to the official library.

Trust Wallet was breached in Dec 2025, and $8.5M in crypto was drained from 2,520 wallets. Nearly 300K credentials (3,760 confirmed valid) were publicly exposed, with Zapier, Postman, and PostHog suffering brand damage.

Malicious code reached ~10% of cloud environments within the 2-hour exposure window. chalk (299M/week) and debug (47M/week) are among the most foundational packages in the JavaScript ecosystem. Full list of impacted packages totaled 2.6B+ combined weekly downloads.

More than 11,500 developers installed this malicious package with zero documentation or description. Three-year dwell time demonstrates how long malicious packages can survive on public registries without community detection. Attackers gained access to Discord bot tokens, user data, and server information.

Initially targeted Coinbase before expanding broadly. Affected repositories led to a cascade of credential-based follow-on attacks.