Application security , Third-party code Trusted by default: The npm attack pattern security teams miss May 13, 2026 Share By Mohit Bansal (Credit: Araki Illustrations – stock.adobe.com) COMMENTARY: There is a machine in your organization that has access to your cloud infrastructure, your source code, your CI/CD pipeline, and in some cases, your employee’s cryptocurrency wallets. It runs with elevated permissions and executes remote code as a routine part of its job. That machine is a developer's laptop, and attackers have figured out it is the softest target in the environment. The numbers back the shift. Wiz reported that the August 2025 NX compromise leaked more than 1,000 valid GitHub tokens and exfiltrated roughly 20,000 files. Google's Cloud Threat Horizons Report for H1 2026 documented a follow-on operation, tracked as UNC6426, that used those stolen tokens to breach a victim's AWS environment within 72 hours. Every iteration of this pattern is faster than the last, and the response model the security industry has been operating from has not kept pace. [ SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here . ] I have been tracking this pattern across multiple npm campaigns for the better part of a year. The npm ecosystem is not going to become less trusted. Developers are not going to stop running postinstall hooks. The attack surface is permanent. What is broken is the response model, and that is the only part we can actually fix. The NX compromise was a proof of concept In August 2025, threat actors compromised packages in the NX ecosystem, a monorepo toolkit with roughly 4.6 million weekly downloads. The malicious versions added a single line to package.json, "postinstall": "node telemetry.js", that turned a routine npm install into code execution on every developer machine that pulled the update. The script scanned for SSH keys, npm credentials, and crypto wallet files, then exfiltrated the data to public GitHub repositories prefixed with "s1ngularity-repository." What made the campaign novel was the next step. The malware checked whether Claude, Gemini, or Amazon Q CLI tools were installed locally, and if it found them, invoked them with permission-bypass flags: --dangerously-skip-permissions, --yolo, and --trust-all-tools. The AI agents then scanned the filesystem for sensitive files on the attacker's behalf. It was the first documented case of malware co-opting AI developer tooling for reconnaissance. Related reading: ‘Mini’ Shai-Hulud attack compromises hundreds of npm, PyPI packages SANDWORM_MODE: Shai-Hulud with an AI twist Namastex npm packages compromised in ‘CanisterWorm’ supply chain attack Dangerous npm package ‘patches’ legitimate software with malware Socket Security flagged it as a new evolution of supply chain tradecraft. A subsequent self-replicating worm, tracked as Shai-Hulud, used credentials harvested from NX victims to compromise more than 500 additional npm packages in the weeks that followed. The NX compromise was not a one-off. It was a validation run for an attack model that keeps shipping iterations. Every iteration improves on the last, and most security programs are still building controls for the previous one. The axios campaign showed precision Where NX demonstrated scale, the axios compromise in March 2026 demonstrated intent. Elastic Security Labs documented the incident publicly. An attacker took control of a maintainer account on the axios package, which has approximately 100 million weekly downloads, and published two backdoored versions within a 39-minute window. Microsoft and Google's Threat Intelligence Group both attributed the campaign to a North Korea-linked cluster. The payload was a cross-platform RAT with three parallel implementations across Windows, macOS, and Linux, all sharing an identical command-and-control protocol. As Elastic Security Labs noted in their writeup, "the consistency strongly indicates a single developer or tightly coordinated team working from a shared design document." The delivery mechanism abused a postinstall hook in a transitive dependency the attackers had pre-staged with a clean decoy 18 hours earlier. The level of preparation tells you what you need to know. The attackers knew the publishing flow, they knew the dependency graph, they knew where developer credentials live on each operating system. That is not a smash-and-grab. That is somebody who has been studying the developer environment for a long time, and the response window for defenders is measured in hours. The response model is the part we can fix These two campaigns are iterations of the same model. Identify a high-trust package. Abuse the install lifecycle to achieve code execution. Target the developer endpoint as the destination, not as a pivot point. The pattern is well-documented, and the response model most security teams operate from is still organized around production servers and perimeter controls. That is the gap. The attack surface, developer trust in open-source tooling, is structural. It cannot be patched out. What can be changed is how security teams respond. Every time one of these campaigns lands, the industry treats it as a software supply chain problem and adds one more dependency scanner. But the supply chain is just the delivery mechanism. The target is the laptop, and the response model still treats the laptop like a workstation instead of like critical infrastructure. The teams I have seen close this gap tend to do three things differently. They extend endpoint detection coverage and incident response playbooks to developer machines with the same rigor as production servers. They treat npx, yarn dlx, and postinstall hooks as code execution events rather than package management. And they invest in secret hygiene on developer machines, because seed phrases in dotfiles and cloud credentials in ~/.aws are the norm in most engineering organizations, not the exception. The teams solving this in 2026 will be the ones that accepted the attack surface is permanent and rebuilt their response model around that fact. The next campaign is already in development somewhere. The only question is whether the response model is ready before it ships, or after. Mohit Bansal Mohit Bansal is Senior Manager, Security Engineering at Webflow, where his job is keeping the developer toolchain secure while the open source supply chain reshapes how every team in the company ships code. He leads the team that responds when the open source ecosystem turns hostile, from compromised npm packages dropping RATs on engineer laptops to typosquatted PyPI libraries exfiltrating credentials. Related Identity ‘Mini’ Shai-Hulud attack compromises hundreds of npm, PyPI packages Steve Zurier May 12, 2026 Teams warn the latest Shai-Hulud wave weaponizes trusted OIDC tokens to bypass package integrity checks. Identity SailPoint GitHub repo hit by third-party cyberattack Steve Zurier May 11, 2026 SailPoint says GitHub repo breach exposed no customer data or production systems. Application security Smartphone users increasingly forgo paid antivirus protection SC Staff May 11, 2026 A recent survey by Cybernews indicates that only 18% of mobile phone users in America pay for third-party antivirus software, with many trusting the built-in tools provided by operating system vendors like Microsoft and Apple. Related Events Cybercast CISO Stories: AI Security (Blackhat Preview) – Arctic Wolf Thu Jul 9 Cybercast Protecting Application User Data for Better Privacy, Governance, and Compliance On-Demand Event Cybercast The Next Evolution of Application Security: AI- Accelerated DevSecOps On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Banner Browser Cache Cramming Common Gateway Interface (CGI) Client Cookie DLL Injection Dynamic Link Library You can skip this ad in 5 seconds