Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets

HomeCyber Security News Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets By Tushar Subhra Dutta May 14, 2026 A sprawling supply chain attack has put software developers worldwide on high alert after hackers compromised more than 170 npm packages and two PyPI packages in a coordinated credential theft campaign. The infected packages are collectively downloaded over 200 million times per week, making the potential blast radius enormous. The threat group behind the campaign, tracked as TeamPCP, injected malicious loaders and obfuscated JavaScript payloads into widely used developer packages. These payloads were built to run silently inside developer machines and CI/CD pipelines, harvest sensitive credentials, and use those credentials to spread even further. The scale of exposure caught many development teams off guard. Researchers at JFrog uncovered the full scope of this campaign, naming it “Shai-Hulud: Here We Go Again” after recognizing hallmarks from previous attacks by the same group. Their analysis revealed that this was not a simple one-time intrusion but a self-replicating operation designed to keep growing with every successful new infection. Hackers Compromise 170 npm Packages The attack began inside a trusted GitHub release environment. The attackers exploited a workflow pattern that allowed fork-controlled code to run in a privileged repository context, gaining a foothold without raising immediate red flags. From there, they poisoned a build cache entry, which a later release workflow restored during what looked like routine build activity. Once inside, the malware extracted GitHub Actions identity tokens from runner memory and exchanged them for npm publishing credentials. It then injected malicious code into additional packages, bumped their version numbers, and republished them. Each compromised package became a launchpad for the next wave of infections. What makes this campaign especially alarming is its worm-like behavior. Instead of stealing secrets from one machine and stopping, the malware keeps moving. After collecting npm tokens or trusted-publishing credentials, the payload scans for every package the victim account can publish, rewrites those packages with malicious code, and pushes new infected versions to the public registry. The malware can also request an OIDC token for the npm registry and exchange it for a publishing token, all while hiding behind the same trusted workflow identity that real developers use. This means infected packages can appear to come from verified, trusted sources while still carrying malware inside. The campaign also expanded into Python through two compromised PyPI packages. The PyPI variant uses an import-time trigger, so just importing the package in any Python script can activate the loader. That loader then silently downloads a remote payload from attacker servers, which has since evolved into a full credential stealer targeting cloud providers, Kubernetes, Vault, password managers, and developer tools. Credential Theft and the Dead-Man Switch The npm payload targets a wide range of secrets, including GitHub tokens, npm credentials, AWS access keys from environment variables and cloud metadata services, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, Docker credentials, and generic API keys. In cloud environments, it queries the EC2 metadata service to retrieve IAM role credentials directly. The malware uses GitHub itself as an exfiltration channel. It creates a public repository under a stolen token, commits encrypted credential bundles there, and marks the repository with the campaign name as a tracker. Commits containing stolen GitHub tokens carry a threatening message warning defenders against revoking access. That threat is backed by a real dead-man switch. The malware installs a background monitor that polls GitHub every 60 seconds and, if the stolen token is revoked, immediately triggers a destructive wipe command on the affected machine. Defenders must fully remove all persistence before rotating any credentials, or they risk triggering the wiper themselves. JFrog recommends isolating all affected machines and CI/CD runners before revoking any tokens. Persistence files and background services must be removed first. After cleanup, teams should rotate GitHub tokens, npm tokens, AWS credentials, Kubernetes service accounts, Vault tokens, and SSH keys. Developers should also review repositories for commits authored as “claude@users.noreply.github.com” and look for unexpected Dependabot-like branches that do not match normal automation patterns. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 83.142.209.194 Primary attacker C2 server and PyPI payload host  URL hxxps[:]//83.142.209.194/transformers.pyz PyPI remote payload download URL  URL hxxps[:]//83.142.209.194/v1/models PyPI early-quarantine / second-stage retrieval endpoint  URL hxxps[:]//83.142.209.194/v1/weights PyPI primary credential exfiltration endpoint  URL hxxps[:]//83.142.209.194/audio.mp3 PyPI destructive second-stage media download  Domain seed1[.]getsession[.]org Session/Oxen seed node for encrypted credential upload  Domain seed2[.]getsession[.]org Session/Oxen seed node for encrypted credential upload  Domain seed3[.]getsession[.]org Session/Oxen seed node for encrypted credential upload  Domain filev2[.]getsession[.]org Session/Oxen file upload service  Domain git-tanstack[.]com Campaign infrastructure  Domain api[.]masscan[.]cloud Campaign infrastructure  File transformers.pyz Malicious PyPI downloaded payload  File Path /tmp/transformers.pyz PyPI payload drop path on Linux  File setup.mjs npm campaign loader file  File router_init.js (also tanstack_runner.js) npm malicious JavaScript payload  File Path ~/.local/bin/gh-token-monitor.sh Linux dead-man switch script  File Path ~/.config/systemd/user/gh-token-monitor.service Linux dead-man switch systemd service  File Path ~/Library/LaunchAgents/com.user.gh-token-monitor.plist macOS dead-man switch LaunchAgent  File Path ~/.local/bin/pgmonitor.py PyPI second-stage persistence payload (Linux user)  File Path /usr/bin/pgmonitor.py PyPI second-stage persistence payload (root)  Service Name pgsql-monitor.service PyPI second-stage systemd persistence, masquerades as PostgreSQL monitor  Email / Commit Author claude@users.noreply.github.com GitHub commit author marker used for dead-drop exfiltration  Keyword FIRESCALE PyPI fallback C2 discovery keyword searched in GitHub commits  Repository Description Shai-Hulud: Here We Go Again GitHub dead-drop repository description (npm variant)  Repository Description PUSH UR T3MPRR GitHub exfiltration repository description (PyPI variant)  Hash (SHA-1) 29c729852fce5a53e30a1541d9fec79c915b2e13 npm payload hash  Hash (SHA-1) f1eda94a5978cf0aae0d88d92ec78d556d696e20 npm payload hash  Hash (SHA-1) 8927cc503d48e4b5eb56b31abc2870c2ed2e98d6 npm payload hash  Hash (SHA-1) be27fc96ab4fcadaec49c03278063dd269ea5eef npm payload hash  Hash (SHA-1) 82d24f2124a8e15d7b90f2fa8601266c npm payload hash  Hash (SHA-256) D4a2086ea18f5e39cd867b8b06918a524eabb21d45ea98aad07357b98173458a npm payload hash  Hash (SHA-256) 2a314ea8be337e1ca9ec833ed13ed854d9fd38bce0a519cf288f3bec8d9e6f30 PyPI __init__.py payload hash  Hash (SHA-256) 5245eb032e336b85cff0dbb3450d591826bf2ef214fd30d7eba1a763664e151b Updated PyPI transformers.pyz payload hash  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Deploy Modular RAT With Credential Theft and Screenshot Capture Capabilities Malicious Chrome MV3 Extension Impersonates TronLink to Steal Crypto Wallet Credentials iOS 26.5 Brings End-to-end Encrypted RCS Messaging Between iPhone and Android 10 Best Full Disk Encryption Tools in 2026 Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker Latest News Cyber Security News TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks Cyber Security News Amazon Quick Bug Exposed AI Chat Agents to Users Blocked by Custom Permissions Cyber Security News New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code Cyber Security News Dell Support assist Updates Forces Windows Systems to BSOD Loop Cyber Security News Microsoft Research Shows AI Can Generate Realistic Command Lines and Process Telemetry