The article details a coordinated campaign of 21 malicious npm packages employing diverse attack vectors, including postinstall hooks that hijack AI coding assistants to create persistent backdoors and MITM API traffic, weaponized fake plugins that deploy RATs to steal credentials via Redis and disk reads, and sophisticated phishing toolkits with obfuscated credential stealers. Specific version ranges and CVSS scores for the individual packages are not provided in the article. The researcher follows coordinated disclosure practices, submitting findings to vendors prior to public release, but no specific fixed versions or workarounds are listed.
Independent security researcher focused on AI supply chain security and prompt injection attack vectors. Building npm-sentinel, an automated scanner that has analyzed 2,847+ packages. npm package permanently hijacks AI coding assistants through postinstall hooks, injecting 13 persistent skill files that disable all security prompts. Overwrites ~/.claude/ on install, reroutes all Claude Code API traffic through attacker's server (makecoder.com), and harvests API credentials. Coordinated campaign of 6 fake Strapi plugins containing a RAT that weaponizes Redis, reads raw disk via dd to steal SSH keys and crypto wallets, and opens a reverse shell. Downloads encrypted, unauditable payloads from a marketplace API, decrypts locally, and installs as persistent Claude Code skills. Server can change payloads anytime. Two packages pose as AI coding agents with polished terminal UIs but route all user interactions through an attacker-controlled ngrok tunnel. Users willingly give full codebase access. Commercial phishing toolkit distributed via npm for 9 months. Includes DKIM spoofing, OAuth replay attacks, SMS phishing via Twilio, and pre-configured SMTP gateways. Ships fake React components as cover for a 33KB obfuscated credential stealer that exfiltrates environment variables to Slack using double base64 + charCode encoding. Heavily obfuscated 155KB package published under ByteDance's @volcengine npm scope. Uses hex variable names, string rotation, and anti-debugging. Collects API keys via zod schema. Two dependency confusion attacks: one targeting Verisign specifically (exfiltrating data to Telegram bot), another targeting internal packages with OAST callbacks. Ships a single 34MB JavaScript file with anti-debugging (console hijacking), hex-indexed lookups, and array rotation obfuscation. Legitimate AI frameworks are 50-500KB. Two dependency confusion attacks targeting corporate packages. One uses classic HTTP exfiltration, the other uses DNS exfiltration via hex-encoded nslookup to bypass firewalls. All findings are submitted through official vulnerability disclosure programs before public release. I follow coordinated disclosure practices and work with vendors to ensure fixes are deployed before details are published.