Bad actors took over a npm maintainer account and have published two malicious packages designed to steal credentials, API keys, and other secrets from the computers of victims who download them from the repository.
Analysts with Sonatype’s Security Research Team wrote in a report that the two packages – sbx-mask and touch-adv – likely are more than test packages, with the attackers hijacking the publisher account to take advantage of the trust maintainers build with developers to steal valuable information, in this case, secrets that can include credentials, certificates, or API keys.
Sonatype is tracking the packages under Sonatype-2026-001276 and Sonatype-2026-001275, adding that the malware campaign is still active and under investigation. The attacks haven’t been attributed to a threat actor yet. Sonatype reported the packages this week to npm.
The malicious packages are only the latest examples of a rising trend of bad actors targeting open code repositories, not only npm but GitHub and others.
As Penta Security noted in January, “attackers often create repositories that appear to be legitimate projects and distribute malicious files alongside normal code, or they secretly insert malicious code into existing open source projects to target developers. The fundamental problem is that it is extremely difficult to block these attacks completely at the software level.”
Aikido Security, which offers an app security platform, wrote this month about a mass campaign being run in March by a threat actor known as Glassworm across open code repositories.
Fighting Back
Organizations appear to be pushing back at the rising tide of such software supply chain attacks, with a recent Futurum Group survey finding that 39% of those surveyed expect to increase spending on software security testing, followed by additional investments in securing APIs.
In the recent software supply chain campaign detected by Sonatype, the attackers’ reliance on trusted maintainer accounts rather than creating new packages or posing as popular libraries is one aspect that makes the threat stand out.
“The attackers appear to have taken control of accounts with established credibility in the npm ecosystem,” the analysts wrote. “This dramatically increases the likelihood that developers will install affected packages without suspicion. Additionally, the attackers employed multiple exfiltration techniques, including both webhook-based collection and direct email transmission. This dual approach increases the resilience of the campaign and suggests a level of planning beyond opportunistic attacks.”
They also noted the timing of the publication of the package, writing that multiple malicious versions popped up in a narrow window of time, which indicates that the exploitation was automated or access to multiple accounts was coordinated.
Going Deeper into Packages
According to the report, the sbx-mask package runs automatically through a post-install script to immediately execute its payload, which increases the likelihood of fast credential exposure, the analysts wrote.
For its part, touch-adv does not automatically execute, but rather when the application code is invoked, though not on install. It reads TRACE_ID, collects and formats environment variables, and then sends the exfiltrated data via a POST request to an email address, ethan@vm0.ai via agentmail.
“This distinction is notable,” the analysts wrote. “Rather than relying solely on install-time execution, attackers are increasingly embedding malicious code deeper within npm packages to evade detection. By delaying execution until runtime, these techniques make the malware less obvious during standard dependency inspection.”
Harvesting and Exfiltrating Data
The payload is embedded within application code, which executes either during installation or when the package is imported into an application. The malicious script then runs a series of actions that harvest and exfiltrate sensitive data. This data includes environment variables from the host’s system, sensitive credentials like API keys, authentication tokens, and cloud service secrets.
Once collected, the data is transmitted to endpoints controlled by the attacks, such as webhook services and hard-coded email addresses, in this case, ethan@vm0.ai via agentmail.
“Because environment variables are widely used to manage secrets in development and production environments, this type of attack can lead to serious downstream compromise,” they wrote. “Exposed credentials may enable attackers to access cloud infrastructure, manipulate CI/CD pipelines, or move laterally across systems within an organization.”
Targeting Developers
Developers and organizations that rely on npm packages as part of their software development lifecycle (SDLC) are the primary targets of the campaign, according to Sonatype. The high-risk targets include CI/CD pipelines and automated build systems, cloud-based deployment environments, and local developer machines with access to credentials and tokens.
“In these contexts, a single compromised package installation can expose secrets that grant attackers access to broader infrastructure, increasing the potential for downstream compromise across an organization,” the analysts wrote.
If an organization downloaded one of the packages, they need to remove it immediately and rotate credentials that may have been exposed. They also need to review system and CI/CD logs for unusual activity, with an eye on outbound network requests that could indicate data that’s been stolen.
Overall, they also need to reduce their reliance on long-lived credentials, according to Sonatype.