When Open Source Turns Against You: Inside the npm Supply Chain Worm
Feb 23, 2026
Open source is the backbone of modern development. Most of us install packages without a second thought, trusting that the ecosystem will sort itself out. But every so often, someone abuses that trust in a very calculated way.
Security researchers recently uncovered an active supply chain campaign targeting npm. It behaves less like a simple backdoor and more like a worm, spreading through stolen developer credentials and quietly expanding its reach.
Let’s break down what’s happening, why it matters, and what developers should do right now.
A Worm Hiding in Plain Sight
Researchers identified at least 19 malicious npm packages tied to this campaign. These packages were published under aliases designed to look legitimate or mimic commonly used libraries.
This tactic, known as typosquatting, relies on small spelling changes or believable naming to trick developers into installing the wrong package.
Known Malicious Packages:
- claud-code@0.2.1
- cloude-code@0.2.1
- cloude@0.3.0
- crypto-locale@1.0.0
- crypto-reader-info@1.0.0
- detect-cache@1.0.0
- format-defaults@1.0.0
- hardhta@1.0.0
- locale-loader-pro@1.0.0
- naniod@1.0.0
- node-native-bridge@1.0.0
- opencraw@2026.2.17
- parse-compat@1.0.0
- rimarf@1.0.0
- scan-store@1.0.0
- secp256@1.0.0
- suport-color@1.0.1
- veim@2.46.2
- yarsg@18.0.1
In addition, four related “sleeper” packages were identified: ethres, iru-caches, iruchache, and uudi. These did not contain malicious features at the time of analysis but were linked to the same publisher infrastructure.
What the Malware Actually Does
This isn’t just a simple credential stealer. It’s structured in stages and built for persistence.
Stage One: Immediate Harvesting
After installation, the first stage focuses on collecting sensitive information from the developer’s environment:
- System details and hardware identifiers
- npm tokens and authentication configs
- GitHub access tokens
- Cloud API keys and environment variables
- Cryptocurrency wallet keys
Stage Two: Delayed and Deeper
The second stage activates after roughly 48 hours to evade sandbox detection. This stage expands the attack by:
- Harvesting credentials from password managers
- Propagating using stolen npm and GitHub identities to infect more packages
- Injecting itself into local development tooling
- Exfiltrating data over HTTPS with DNS-based fallback
There is even a disabled-by-default kill-switch routine designed to wipe a user’s home directory if communication is lost.
Targeting AI Coding Assistants
One of the more concerning elements is a module designed to tamper with AI coding assistants. The malware deploys a rogue Model Context Protocol (MCP) server and registers it as if it were a legitimate tool provider.
It then uses prompt injection techniques to trick AI tools into exposing sensitive local files such as:
~/.ssh/id_rsaand other keys~/.aws/credentials~/.npmrc.envfiles
The targeted tools include Claude Code, Claude Desktop, Cursor, and VS Code extensions. It also harvests API keys for major LLM providers.
Built for Evasion
The malware contains a polymorphic engine designed to rewrite its own code by renaming variables, rewriting control flow, and inserting junk code. This suggests the operators are preparing for long-term survival in the ecosystem.
How to Sanitize Your Environment
If you have installed any of the affected packages, take action immediately:
- Remove & Uninstall: Delete the packages from your projects and uninstall them globally.
- Rotate Tokens: Change all npm and GitHub tokens immediately.
- Reset Secrets: Rotate CI/CD secrets and LLM API keys.
- Regenerate Keys: Create new SSH keys if they were stored on the machine.
- Audit Workflows: Check
.github/workflows/for unauthorized changes.