A new campaign is targeting the npm registry, compromising over 40 packages maintained by multiple developers.
According to supply chain security firm Socket, the attackers inject malicious JavaScript code into popular npm packages through a tampered publishing function. The affected function (NpmModule.updatePackage) manipulates package tarballs by modifying package.json, injecting a malicious script (bundle.js), and repackaging the archive for redistribution.
The campaign is aimed at harvesting secrets from developer machines using the TruffleHog credential scanner. Once injected, the malicious script automatically downloads TruffleHog and scans the host system for sensitive credentials, including GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY.
The attack targets both Windows and Linux systems and, when possible, validates tokens via the npm ‘whoami’ endpoint and interacts with GitHub APIs to gain further access. In cases where GitHub tokens are found, the malware creates a new GitHub Actions workflow in .github/workflows, allowing persistent data exfiltration during future CI/CD runs.
The stolen secrets are exfiltrated to an external server via a webhook[.]site endpoint controlled by the attacker.
StepSecurity, which also analyzed the campaign, warned that the malware self-propagates across maintainer packages, collects AWS/GCP/Azure credentials using TruffleHog, and establishes persistence through GitHub Actions backdoors.