url

https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package

discovered 2026-06-03

npm OIDC Trusted Publishing token-exchange endpoint abused for self-replication: mints a package-scoped automation token without stored credentials, then republishes trojanized versions.

Campaigns

IronWormattributed-to

Linked packages

npm weavedb-sdkcommunicates-with

Read the full analysis →