Compromised npm Package Drops Cross-Platform Infostealer on Developer Machines

A compromised release of a widely used build tool package briefly shipped a cross platform infostealer targeting cloud credentials, crypto wallets, and AI coding tool configuration files before being pulled.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Developer terminal displaying code on a laptop screen in a dimly lit workspace, representing a software supply chain security incident

Developer terminal displaying code on a laptop screen in a dimly lit workspace, representing a software supply chain security incident

A compromised release of a widely used JavaScript build tool briefly turned routine package installation into a credential theft operation for any developer or automated build system that pulled it in. The tainted version carried a hidden installation script that silently dropped a Rust based infostealer built for Windows, macOS, and Linux, before the package was caught and removed from the registry within minutes of publication.

The malicious release included two new files not present in any prior version and absent from the project's public source repository, a strong indicator that the release was pushed through a compromised maintainer account or build pipeline rather than a legitimate code change. Once installed, a small loader identified the host operating system, extracted the matching payload to a randomly named file in the system temporary directory, and launched it silently in the background.

The stolen data set targeted by the payload was broad and specifically aimed at developer workflows. It searched for cloud credentials tied to AWS, Azure, and Google Cloud, including the metadata endpoints commonly used by automated build and CI systems, alongside cryptocurrency wallet seed phrases, browser stored passwords, and session tokens for messaging platforms. Notably, it also targeted configuration files belonging to popular AI coding assistants, where API keys and Model Context Protocol server credentials are frequently stored in plain text.

On Linux systems, the payload went further than typical credential theft tooling by loading a small eBPF program directly into the kernel, giving it a foothold beneath normal user space monitoring. The Windows and macOS builds added scheduled task and login item persistence respectively, allowing the malware to survive a reboot if it was not caught and removed promptly.

The package sees a modest download volume compared to the largest supply chain incidents of the past year, but reach was never the primary risk factor here. Build systems and continuous integration pipelines routinely hold cloud deployment keys, source code access, and organisational secrets, which makes even a narrowly distributed compromise like this one disproportionately valuable to an attacker focused on access rather than volume.

The timing is notable. The compromised version shipped only days after the latest release of the npm command line tool disabled automatic execution of installation scripts by default, a change specifically intended to close this exact attack path. Teams still running older package manager clients, or with lockfiles pinned to the compromised version, remain exposed regardless of that upstream fix.

This incident sits within a wider pattern of software supply chain compromises that MENA Cyber Wire has tracked through 2026, including a separate campaign in which malicious npm and PyPI packages impersonated payment SDKs to harvest developer credentials, and a critical authentication bypass in Gitea's Docker images that exposed source control infrastructure to unauthenticated access.

For enterprises across the Gulf, the exposure runs deeper than the immediate credential theft. Dubai and Riyadh have both positioned themselves as regional technology and fintech hubs, with growing developer communities relying on the same open source package ecosystems targeted here. Security teams supporting these environments should treat this incident as a prompt to review identity and access management controls governing build systems and CI pipelines, rather than a one off cleanup task.

Security teams should confirm they are not running the compromised version, rotate any credentials that may have passed through an affected build machine, and review temporary directories and scheduled tasks for signs of persistence. Given how quickly this kind of compromise can spread through shared build infrastructure, incidents like this are exactly why gulf cyber security news and mena cyber security news coverage increasingly treats developer tooling as core infrastructure rather than a peripheral concern, and why this kind of mena cyber news deserves the same urgency usually reserved for network level threats.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Software Supply Chain ThreatsEnterprise Developer SecurityCloud Credential Protection