Login

u/BattleRemote3157

▲ 6 r/developers

314 npm packages just got compromised, 271 @antv, echarts-for-react, size-sensor, timeago.js

atool maintainer account got hacked, and attacker pushed 631 malicious versions across 314 packages in 22 minutes. another day and another attack. it steals everything like AWS keys, GitHub tokens, npm creds, SSH keys, database strings, docker configs, kubernetes tokens. If you have docker socket exposed, it escapes the container with privileged access.

How to check is look for versions published on 2026-05-19 between 01:44-02:06 UTC. Payload SHA256: a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c

If you got hit then rotate everything. All of it.

Same payload as the SAP compromise 3 weeks ago (Mini Shai-Hulud). 498KB obfuscated Bun script with identical credential harvesting patterns.

reddit.com
u/BattleRemote3157 — 1 day ago
▲ 1.0k r/pwnhub+2 crossposts

314 npm packages just got compromised, 271 @antv, echarts-for-react, size-sensor, timeago.js

atool maintainer account got hacked, and attacker pushed 631 malicious versions across 314 packages in 22 minutes. another day and another attack. it steals everything like AWS keys, GitHub tokens, npm creds, SSH keys, database strings, docker configs, kubernetes tokens. If you have docker socket exposed, it escapes the container with privileged access.

safedep.io
u/BattleRemote3157 — 1 day ago
▲ 1.1k r/Malware+4 crossposts

Mass npm Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages

massive campaign for 170+ packages and 400+ malicious versions published. what we saw that not a single maintainer account compromised. tanStack and Mistral AI these are the names that stand out.

safedep.io
u/BattleRemote3157 — 8 days ago
▲ 165 r/pwnhub+1 crossposts

We founded 4 SAP packages which were actually published today with a malicious preinstall hook. packages are cap-js/sqlite, cap-js/postgres, cap-js/db-service, and mbt The payload is stealing GitHub tokens, npm tokens or AWS/Azure/GCP credentials, and then uses the stolen GitHub token to commit back into the victim's own repos which in return dropping a vs code tasks.json that re runs the attack every time someone opens the project.

the interesting thing we found that the attacker modified CI workflow to extract an OIDC token and publish to npm directly which bypass the normal release pipeline entirely. The malicious versions have zero SLSA attestations otherwise the legit ones have two. If you run any of these packages, rotate everything now please

u/BattleRemote3157 — 21 days ago