Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets

A sprawling supply chain attack has put software developers worldwide on high alert after hackers compromised more than 170 npm packages and two PyPI packages in a coordinated credential theft campaign.

The infected packages are collectively downloaded over 200 million times per week, making the potential blast radius enormous.

The threat group behind the campaign, tracked as TeamPCP, injected malicious loaders and obfuscated JavaScript payloads into widely used developer packages.

These payloads were built to run silently inside developer machines and CI/CD pipelines, harvest sensitive credentials, and use those credentials to spread even further. The scale of exposure caught many development teams off guard.

Researchers at JFrog uncovered the full scope of this campaign, naming it “Shai-Hulud: Here We Go Again” after recognizing hallmarks from previous attacks by the same group.

Their analysis revealed that this was not a simple one-time intrusion but a self-replicating operation designed to keep growing with every successful new infection.

Hackers Compromise 170 npm Packages

The attack began inside a trusted GitHub release environment. The attackers exploited a workflow pattern that allowed fork-controlled code to run in a privileged repository context, gaining a foothold without raising immediate red flags.

From there, they poisoned a build cache entry, which a later release workflow restored during what looked like routine build activity.

Once inside, the malware extracted GitHub Actions identity tokens from runner memory and exchanged them for npm publishing credentials.

It then injected malicious code into additional packages, bumped their version numbers, and republished them. Each compromised package became a launchpad for the next wave of infections.

What makes this campaign especially alarming is its worm-like behavior. Instead of stealing secrets from one machine and stopping, the malware keeps moving.

After collecting npm tokens or trusted-publishing credentials, the payload scans for every package the victim account can publish, rewrites those packages with malicious code, and pushes new infected versions to the public registry.

The malware can also request an OIDC token for the npm registry and exchange it for a publishing token, all while hiding behind the same trusted workflow identity that real developers use.

This means infected packages can appear to come from verified, trusted sources while still carrying malware inside.

The campaign also expanded into Python through two compromised PyPI packages. The PyPI variant uses an import-time trigger, so just importing the package in any Python script can activate the loader.

That loader then silently downloads a remote payload from attacker servers, which has since evolved into a full credential stealer targeting cloud providers, Kubernetes, Vault, password managers, and developer tools.

Credential Theft and the Dead-Man Switch

The npm payload targets a wide range of secrets, including GitHub tokens, npm credentials, AWS access keys from environment variables and cloud metadata services, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, Docker credentials, and generic API keys.

In cloud environments, it queries the EC2 metadata service to retrieve IAM role credentials directly. The malware uses GitHub itself as an exfiltration channel.

It creates a public repository under a stolen token, commits encrypted credential bundles there, and marks the repository with the campaign name as a tracker.

Commits containing stolen GitHub tokens carry a threatening message warning defenders against revoking access. That threat is backed by a real dead-man switch.

The malware installs a background monitor that polls GitHub every 60 seconds and, if the stolen token is revoked, immediately triggers a destructive wipe command on the affected machine.

Defenders must fully remove all persistence before rotating any credentials, or they risk triggering the wiper themselves.

JFrog recommends isolating all affected machines and CI/CD runners before revoking any tokens. Persistence files and background services must be removed first.

After cleanup, teams should rotate GitHub tokens, npm tokens, AWS credentials, Kubernetes service accounts, Vault tokens, and SSH keys.

Developers should also review repositories for commits authored as “claude@users.noreply.github.com” and look for unexpected Dependabot-like branches that do not match normal automation patterns.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	83.142.209.194	Primary attacker C2 server and PyPI payload host
URL	hxxps[:]//83.142.209.194/transformers.pyz	PyPI remote payload download URL
URL	hxxps[:]//83.142.209.194/v1/models	PyPI early-quarantine / second-stage retrieval endpoint
URL	hxxps[:]//83.142.209.194/v1/weights	PyPI primary credential exfiltration endpoint
URL	hxxps[:]//83.142.209.194/audio.mp3	PyPI destructive second-stage media download
Domain	seed1[.]getsession[.]org	Session/Oxen seed node for encrypted credential upload
Domain	seed2[.]getsession[.]org	Session/Oxen seed node for encrypted credential upload
Domain	seed3[.]getsession[.]org	Session/Oxen seed node for encrypted credential upload
Domain	filev2[.]getsession[.]org	Session/Oxen file upload service
Domain	git-tanstack[.]com	Campaign infrastructure
Domain	api[.]masscan[.]cloud	Campaign infrastructure
File	transformers.pyz	Malicious PyPI downloaded payload
File Path	/tmp/transformers.pyz	PyPI payload drop path on Linux
File	setup.mjs	npm campaign loader file
File	router_init.js (also tanstack_runner.js)	npm malicious JavaScript payload
File Path	~/.local/bin/gh-token-monitor.sh	Linux dead-man switch script
File Path	~/.config/systemd/user/gh-token-monitor.service	Linux dead-man switch systemd service
File Path	~/Library/LaunchAgents/com.user.gh-token-monitor.plist	macOS dead-man switch LaunchAgent
File Path	~/.local/bin/pgmonitor.py	PyPI second-stage persistence payload (Linux user)
File Path	/usr/bin/pgmonitor.py	PyPI second-stage persistence payload (root)
Service Name	pgsql-monitor.service	PyPI second-stage systemd persistence, masquerades as PostgreSQL monitor
Email / Commit Author	claude@users.noreply.github.com	GitHub commit author marker used for dead-drop exfiltration
Keyword	FIRESCALE	PyPI fallback C2 discovery keyword searched in GitHub commits
Repository Description	Shai-Hulud: Here We Go Again	GitHub dead-drop repository description (npm variant)
Repository Description	PUSH UR T3MPRR	GitHub exfiltration repository description (PyPI variant)
Hash (SHA-1)	29c729852fce5a53e30a1541d9fec79c915b2e13	npm payload hash
Hash (SHA-1)	f1eda94a5978cf0aae0d88d92ec78d556d696e20	npm payload hash
Hash (SHA-1)	8927cc503d48e4b5eb56b31abc2870c2ed2e98d6	npm payload hash
Hash (SHA-1)	be27fc96ab4fcadaec49c03278063dd269ea5eef	npm payload hash
Hash (SHA-1)	82d24f2124a8e15d7b90f2fa8601266c	npm payload hash
Hash (SHA-256)	D4a2086ea18f5e39cd867b8b06918a524eabb21d45ea98aad07357b98173458a	npm payload hash
Hash (SHA-256)	2a314ea8be337e1ca9ec833ed13ed854d9fd38bce0a519cf288f3bec8d9e6f30	PyPI __init__.py payload hash
Hash (SHA-256)	5245eb032e336b85cff0dbb3450d591826bf2ef214fd30d7eba1a763664e151b	Updated PyPI transformers.pyz payload hash

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets appeared first on Cyber Security News.