Campaigns

Rust-built infostealer npm supply chain worm, identified by JFrog Security Research on 2026-06-03 as an evolved variant of the Shai-Hulud worm family. Distributed via npm packages published from the compromised `asteroiddao` account (43 packages), it targets the Arweave/WeaveDB decentralized-database and broader Web3/crypto developer ecosystem. The malicious install hook drops a ~976 KB Rust ELF (`tools/setup`, UPX-packed with overwritten magic) that harvests ~86 environment variables and 20+ credential file paths (cloud, AI API keys, SCM/registry/CI tokens, Kubernetes/Vault secrets), captures Exodus desktop wallet seed phrases, ships an eBPF kernel rootkit for process/socket hiding and anti-debugging, beacons to a Tor hidden service (/api/agent) with temp.sh fallback exfil, and self-republishes via npm OIDC Trusted Publishing. Code paths targeting PyPI, Cargo, Conan and vcpkg credentials/registries were also present. Shares Shai-Hulud tradecraft (claude@ commit spoofing, dependency-tooling masquerade, supply-chain self-propagation) but escalates to a custom native implant.

Serial axios typosquat campaign by a single Epsilon Stealer MaaS operator. Wave 1: turbo-axios published 2026-05-23 (v1.17.2, v1.17.3), taken down by npm security hold 2026-05-28. Wave 2: operator created new npm account (speedsteraxios), published faster-axios 2026-06-01 (v1.17.3, v1.17.4) with rotated Cloudflare quick-tunnels but shared infrastructure (consequences-faces-weblogs-clinical.trycloudflare.com appears in both turbo-axios stage-2 C2 and faster-axios Epsilon Stealer DOWNLOAD_URL constant). Shared TTPs: identical version numbering (1.17.x), same postinstall hook (node ./lib/core/eval.js), same sendAnalytics() function name, same /download/datab1 URL path pattern, same attack shape (postinstall eval-downloader targeting axios users). Payload: Epsilon Stealer MaaS infostealer with browser credential theft, crypto wallet theft, Discord/Telegram/GitHub token theft, process injection, WebSocket RAT, and persistence.

Supply-chain campaign in the Shai-Hulud worm lineage, a variant of / derived from Mini Shai-Hulud (TeamPCP-attributed). Also tracked by other researchers as the "Hades Campaign" (confirmed external alias / cross-reference name; like the "Miasma" name itself, it is an external label, not a string recovered in plaintext from any decoded artifact). As of 2026-06-08 the authoritative consolidated package list spans two ecosystems: npm (106 packages / 411 versions across the June 1 Trusted-Publishing @redhat-cloud-services wave and the June 3 Phantom Gyp Arm A) and PyPI (26 packages / 45 versions, newly surfaced and expanded). The PyPI package identities and versions are authoritative (HIGH CONFIDENCE), but the PyPI delivery mechanism, payload, and entry vector have NOT been analyzed (OBSERVED, not characterized); attribution of the PyPI packages to the Miasma payload is by authoritative-list inclusion only. The campaign-identifier string "Miasma: The Spreading Blight" was not recovered in plaintext from the June 1 sample but is corroborated by the June 3 liuende501 exfil account repo descriptions.

Wave 3 (2026-06-01) of the oob-moika-tech dependency confusion campaign. A fourth npm account, emcd-vue (email emcd-vue@proton.me), published at least 3 confirmed packages in the @emcd-vue scope, impersonating EMCD (emcd.io) — a real Russian cryptocurrency mining pool and exchange. The same hardcoded X-Secret (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) ties this wave to all prior accounts. Wave 3 is the campaign's most advanced iteration: WaCk/JScrambler obfuscation (811-element string array, custom lowercase-first base64 alphabet, integer-arithmetic indexing, 5-arg helper proxy functions, anti-debug self-check); payload written to ~/.emcd-vue_init.js in the home directory rather than OS temp; FUSION_ env-var handshake protocol to the second stage (FUSION_RECON_ONLY, FUSION_DEP_CON, FUSION_PKG, FUSION_VER, FUSION_SECRET, FUSION_PAYLOAD); architecture-qualified platform payload URLs (linux-x64, darwin-arm64, win); plausible version numbers (6.4.8/6.4.9/7.1.7) that evade version-anomaly heuristics; README kill switch (EMCD_VUE_8D440FE1_NO_TEL) deliberately mismatched from the functional code kill switch (EMCD_VUE_NO_TELEMETRY).

Five npm packages (iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, ms-graph-types) that abuse Claude Code hooks to backdoor AI coding sessions.

A Telegram account-takeover operation by npm publisher shetty123 (shettysaikumar3@gmail.com). Pairs a malicious client (common-tg-service) with the operator's server-side runtime (ams-ssk) deployed at cms.paidgirl.site. Targets Indian Telegram accounts for downstream UPI payments fraud.

Three compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and password managers, then propagates to other hosts via SSM and kubectl exec.

npm packages using Polymarket and DeFi trading lures to steal cryptocurrency wallet private keys and drain victim funds.

npm packages from a single operator delivering Windows RATs and browser cookie/credential stealers. Every variant exfiltrates to fucktestpad@opemails.com, linking the packages to one actor.

Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 across waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules.

DPRK-linked (Famous Chollima) supply chain campaign targeting developers via npm, PyPI, and fake job interviews. MicrosoftSystem64 / js-logger-pack is attributed to this campaign cluster via the toskypi identity (tosky.pi1016@gmail.com), jpeek account rotation (jpeek868/886/895), and shared Lordplay/system-releases HuggingFace infrastructure. Overlapping sub-campaigns: Contagious Trader (crypto trading lures), BigSquatRat (typosquats).

npm packages published by a single operator that plant SSH backdoors and full remote access trojans on developer machines. All variants exfiltrate stolen data to the tanvisoul9@gmail.com mailbox, tying the packages to one actor.

Cluster of big.js and biginteger typosquats (sjs-biginteger, bjs-biginteger, cjs-biginteger and lint-builder variants) that implant SSH backdoors and steal developer keys.

Compromise of the @fairwords npm scope (websocket, loopback-connector-es, encryption) delivering a credential-harvesting worm.

36 npm packages impersonating Strapi plugins that deploy Redis RCE, steal databases and maintain persistent command and control.

Umbrella supply chain campaign tracked by Wiz (Rami McCarthy) that compromises developer tooling, package registries, and CI/CD across npm, PyPI, Docker, VSCode, and Packagist. The initial wave abused Checkmarx-themed decoy domains (checkmarx.zone, audit.checkmarx.cx) and shared C2 (94.154.172.43) to trojanize litellm and, through a cascading KICS compromise, @bitwarden/cli. Attribution strings reuse Dune terminology, linking it to the Shai-Hulud worm family.

Self-replicating npm and PyPI supply chain worm that harvests developer, cloud, and registry credentials and propagates by publishing trojanized versions of every package the stolen tokens can reach. First seen September 2025 (@ctrl/tinycolor and peers, exposing private repositories and AWS credentials), it resurged as the larger 'Shai-Hulud 2.0' wave in November 2025 across @zapier, @asyncapi, posthog and @postman packages affecting 25,000+ repositories, and later reached PyPI through PyTorch Lightning. Named after the Dune sandworm; part of the broader TeamPCP activity.

September 2025 phishing compromise of npm maintainer 'qix' that hijacked 18 ultra-popular packages (chalk, debug, ansi-styles, strip-ansi and more, 1B+ weekly downloads) to inject a browser-based crypto wallet address swapper.

August 2025 compromise of the nx build system and @nx/js that stole credentials, SSH keys and wallet data from Linux and macOS developers and published the loot to attacker-created GitHub repositories.

PyPI typosquats of the Bittensor SDK (bitensor, bittenso, bittenso-cli, qbittensor) that backdoor crypto and AI developers, steal wallet credentials and use DNS tunneling as a fallback exfiltration channel.

July 2025 maintainer-phishing compromise that pushed malware through eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core and napi-postinstall, packages with tens of millions of weekly downloads.

Dependency-confusion packages that mimic the private/internal package names of specific enterprises (Hyatt, Schedaero, Coca-Cola, Genoma and others) and beacon host and environment data to attacker-controlled collectors such as Burp Collaborator, requestcatcher and disposable inboxes.

Catch-all for isolated malicious packages that are not attributable to a tracked campaign.