malware npm

npm-global-util

discovered 2026-04-29

npm-global-util is identified in the SafeDep analysis "npm-global-util: Credential Theft and Supply Chain Attack". npm-global-util is a malicious npm package by maintainer raya4321 that exfiltrates credentials and system recon data via a preinstall hook. Part of a 16-package campaign targeting Apple developer CI/CD environments, with a second-stage that attempts to poison apple-app-store-server-library.

more…

Threat types

credential_stealer data_exfiltration rat persistence

Malicious versions

1.0.0

Campaigns

No Specific Campaignattributed-to

Indicators

domain webhook.sitecommunicates-with
domain franki.requestcatcher.comcommunicates-with
ipv4 169.254.169.254communicates-with
email npmtpoc@gmail.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →