Hundreds of malicious package versions were uploaded across both the npm and PyPI ecosystems in two distinct phases, starting April 29, 2026, and again on May 11, 2026, signaling a sophisticated supply chain attack targeting open-source development. Unlike isolated package compromises, this campaign specifically infiltrated entire groups of related packages, magnifying its potential reach and impact.
What Happened
Attackers published hundreds of malicious versions of legitimate software across npm and PyPI. The initial wave hit on April 29, 2026, followed by a second, coordinated phase on May 11, 2026. Affected organizations are those relying on popular open-source projects, including those associated with TanStack, Mistral AI, UiPath, and OpenSearch, according to advisories from NHS England Digital and ongoing research by Socket.
The malicious code, often heavily obfuscated, executes during the installation or import process of the compromised packages. Once triggered, it's designed to harvest a wide array of sensitive credentials. NHS England Digital issued an advisory on May 12, 2026, detailing the specifics of the threat.
Why It Matters
This is not just a few rogue packages; it is a broad attempt to infiltrate the open-source software supply chain by targeting widely used repositories. The compromise of entire groups of related packages dramatically increases the attack surface for any organization that consumes open-source components. One might patch one vulnerability only to find its sibling package was also backdoored.
The core objective is credential harvesting: GitHub tokens, npm tokens, CI/CD secrets, cloud credentials, and API keys are all targeted, according to Socket. Losing these keys can provide vast access to an organization’s infrastructure. NHS England National CSOC recommends immediate reporting if you find any evidence of compromise in your environment.
The broad scope of this attack across both npm and PyPI suggests a potentially significant number of affected users and organizations, although specific figures are still emerging. Researchers at Socket are actively maintaining a list of compromised packages, which serves as a critical, real-time indicator of compromise for development and security teams. This ongoing vigilance is critical for preventing further spread.
Technical Breakdown
The attack chain begins with the publication of seemingly benign, yet malicious, package versions to npm and PyPI. These packages often masquerade as legitimate updates or new components of well-known projects, using trust in the open-source ecosystem. When a developer installs or imports one of these compromised packages, the embedded, obfuscated malware executes. This typically occurs as part of a build process or a runtime dependency, making it difficult to spot without robust code analysis.
Think of it like this: your development environment is a secure vault, and your packages are the tools you bring in. This attack is not just swapping out one tool for a malicious one; it is like an attacker replaced entire tool sets (groups of related packages) with infected versions. Now, when you reach for a wrench, you are picking up a device designed to steal your vault combinations.
Upon execution, the malware's primary goal is data exfiltration. It systematically searches for configuration files, environment variables, and cached tokens commonly used by developers and automated systems. This includes searching for .gitconfig, .npmrc, CI/CD pipeline configuration, and various cloud provider credential files. The stolen data is then likely exfiltrated over standard web protocols, blending with normal network traffic.
A critical and dangerous aspect of this campaign is its lateral movement capability. If the compromised development or build environment possesses permissions to publish other packages or access additional repositories, the malware can inject itself into further projects. This allows for self-propagation, effectively turning an initial compromise into a vector for wider infestation across an organization's internal codebases and even back into the public open-source ecosystem. Organizations must use an EDR solution to detect unusual process execution and credential access.
MITRE ATT&CK:
- T1195.002 Compromise Software Supply Chain: The fundamental attack vector, inserting malicious code into open-source repositories.
- T1027 Obfuscated Files or Information: The malicious code is heavily obfuscated to avoid detection during static analysis.
- T1003 OS Credential Dumping: Harvesting GitHub tokens, npm tokens, CI/CD secrets, cloud credentials, and API keys.
- T1078 Valid Accounts: Leveraging harvested credentials for self-propagation and further access.
- T1567 Exfiltration Over Web Service: Likely method for sending harvested credentials out of the compromised environment.
NIST SP 800-53:
- SA-10 Developer Configuration Management: Emphasizes the need for robust controls over source code and development tools, including third-party components.
- SI-3 Malicious Code Protection: Requires systems to detect and protect against malicious code introduced through external sources.
- AC-6 Least Privilege: Limiting lateral movement is crucial, ensuring build systems and developer accounts only have permissions absolutely necessary for their function, preventing self-propagation.
- IR-6 Incident Reporting: NHS England National CSOC explicitly advises immediate reporting for detected compromises.
Historical Context
This incident draws clear parallels to the SolarWinds supply chain attack in December 2020. In SolarWinds, attackers compromised a trusted software vendor's build process to inject malicious code into legitimate software updates, leading to widespread infiltration across numerous downstream customers. Both attacks exploited trust in the software supply chain to distribute malware through official channels.
The key similarity is the method of distribution: weaponizing trusted software update mechanisms. However, a difference here is the target. While SolarWinds targeted a commercial vendor’s enterprise software, this current attack focuses on the open-source package manager ecosystems of npm and PyPI, which have a far broader, more decentralized user base. The lateral movement capability, allowing the attack to inject itself into new packages if publishing permissions exist, also demonstrates an evolution in the self-propagation mechanism beyond simply waiting for updates to be downloaded.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Affected Ecosystems | 2 | BleepingComputer, SecurityWeek |
| Initial Attack Phase | April 29, 2026 | NHS England Digital |
| NHS Advisory Date | May 12, 2026 | NHS England Digital |
| Credential Types Targeted | 5 (GitHub tokens, npm tokens, CI/CD secrets, cloud credentials, API keys) | Socket |
| Affected Projects | TanStack, Mistral AI, UiPath, OpenSearch | SecurityWeek |
| Malicious Packages | Hundreds, as reported by BleepingComputer | BleepingComputer |
Our Take
This campaign reinforces a core truth: your supply chain is only as strong as its weakest link, and open-source dependencies are increasingly becoming that link. We need to move beyond reactive scanning and implement more proactive security measures in our CI/CD pipelines. That means rigorous analysis of new dependencies, locking down package versions, and strictly enforcing AC-6 Least Privilege for anything with build or publishing rights. Your developers' workstations and CI agents are critical attack surfaces. Use a password manager for sensitive credentials, ensuring they are never hardcoded or easily discoverable.
The CVEDaily Take
This attack's ability to compromise groups of packages, coupled with its lateral movement potential, makes it a significant threat beyond typical single-package compromises. We believe the impact could be far wider than currently estimated due to this self-propagation mechanism. It demands an urgent shift from simply auditing individual dependencies to continuous monitoring of the entire dependency graph and associated build environments. What's your immediate action plan for auditing build agent permissions and credential storage after this incident?
FAQ
Q: What sensitive information is this malware specifically targeting?
A: The malware attempts to harvest a wide array of sensitive information, including GitHub tokens, npm tokens, CI/CD secrets, cloud credentials, and API keys, primarily to facilitate further access and self-propagation within the open-source ecosystem.
Q: How does this attack achieve lateral movement?
A: If the compromised development or build environment has permissions to publish other packages or access additional repositories, the malicious code can inject itself into those projects, effectively spreading the attack and creating new malicious versions of software.
Q: What should development teams do right now?
A: Immediately check your environments for any compromised packages identified by researchers like Socket, ensure your CI/CD pipelines are scanning dependencies, and review the principle of AC-6 Least Privilege for all accounts and systems involved in package publishing or repository access.
