Cremit
/incidentsfield log
CatchesCampaignsExfilPatternsLLMIncidentsMethodology
↺rss↗cremit.io

incidents.cremit.io

A reference feed of real-world Non-Human Identity (NHI) credential leak incidents. Maintained by Cremit.

Browse

  • All incidents
  • npm supply chain
  • CI/CD compromise
  • Methodology

Subscribe

  • RSS feed
  • @cremit_io
  • GitHub
// status
monitor active
// build
2026-05-20
// origin
cremit · seoul, kr
// license
CC BY 4.0

© 2026 Cremit. content reuse encouraged with attribution.

incidents.cremit.io·research index·v1

Credential-stealing
supply-chain packages,indexed.

A narrow-focus index of malicious packages caught exfiltrating credentials — across npm, PyPI, GitHub Actions, the VS Code Marketplace, and Hugging Face. AWS keys, npm/PyPI tokens, browser cookies, wallet seeds, AI API keys, CI secrets. Each entry quotes the actual exfiltration code.

We don't track package pollution, generic typosquats without a payload, or wallet drainers without credential theft. Just packages that actually try to steal something. See methodology for the inclusion criteria.

caught total
364
auto-published verdicts
last 7 days
364
auto-published
364
high-confidence malicious
last 30 days
364
$browse catchespatternscurated archivemethodology
monitor active·last analysis 2026-05-20·analyzed 364·npm 362/pypi 2/github actions 0/vs code marketplace 0/hugging face 0source: npm rss · pypi rss · gh actions · vscode marketplace · huggingface · ossf/malicious-packages

recent catches

Latest packages classified as malicious or pending review by the analyzer pipeline. Every entry links to the package, its tarball, and the offending code.

all 364
  • AUTO-PUBLISHED/npm/17m ago

    @mandujs/core@0.54.7

    by oddeye

    Mandu Framework Core - Spec, Generator, Guard, Runtime

    steals →AWS keysApple/CloudKitChromium logins
    public-github-pushreads-env-varschild-process-spawnreads-chromium-credsreads-aws-credsreads-apple-cloudkitbase64-decodeclipboard-access

    → No suspicious destination, no remote-exec shape — 1 known-vendor host(s).

    weekly
    —
    /wk
    llm verdict
    benign 0.85
    h-score
    89
    patterns
    8
    size
    5.4 MB
    versions
    183
  • AUTO-PUBLISHED/npm/16m ago

    @mandujs/cli@0.44.12

    by oddeye

    Agent-Native Fullstack Framework - 에이전트가 코딩해도 아키텍처가 무너지지 않는 개발 OS

    steals →AI API keysMCP configChromium logins→ sends tohttps://github.com/konamgil/mandu.git
    public-github-pushchild-process-spawnreads-chromium-credsreads-env-varsreads-ai-api-keysreads-mcp-configreads-homedirbase64-decode+1

    → No suspicious destination, no remote-exec shape — 1 known-vendor host(s).

    weekly
    —
    /wk
    llm verdict
    benign 0.85
    h-score
    64
    patterns
    9
    size
    1.8 MB
    versions
    169
  • AUTO-PUBLISHED/npm/25m ago

    @jskit-ai/jskit-catalog@0.1.92

    by mercmobily

    Published metadata catalog for JSKIT package descriptors.

    steals →AI API keysChromium logins
    reads-chromium-credsreads-ai-api-keys

    → No suspicious destination, no remote-exec shape — 1 known-vendor host(s).

    weekly
    —
    /wk
    llm verdict
    benign 0.85
    h-score
    64
    patterns
    2
    size
    265.4 KB
    versions
    87
  • AUTO-PUBLISHED/npm/25m ago

    @jskit-ai/realtime@0.1.83

    by mercmobily
    steals →Chromium logins
    reads-chromium-creds

    → No suspicious destination, no remote-exec shape — 1 known-vendor host(s).

    weekly
    —
    /wk
    llm verdict
    benign 0.85
    h-score
    64
    patterns
    1
    size
    77.7 KB
    versions
    78
  • AUTO-PUBLISHED/npm/3h ago

    @stelnyx/report-theme@0.1.2

    by doceno

    Unified theme + template helpers for Stelnyx CLI reports (LuxScope, LuxFaber, SecGate).

    weekly
    —
    /wk
    h-score
    55
    size
    63.0 KB
    versions
    2

credential surfaces hit

Which kinds of credentials caught packages were after, by category. Cloud platform keys, source-control tokens, browser logins, password manager stores, crypto wallets, AI API keys.

view all

Cloud credentials

9 hits
  • reads-aws-creds6
  • reads-apple-cloudkit3

Source control / registries

4 hits
  • reads-npmrc2
  • reads-github-tokens1
  • reads-gitlab-tokens1

Browsers

15 hits
  • reads-chromium-creds15

Crypto wallets

3 hits
  • reads-seed-phrase3

AI tooling

7 hits
  • reads-ai-api-keys5
  • reads-mcp-config2

Messaging / chat

1 hits
  • discord-webhook1

curated incidents

Long-form, source-verified analyses of notable NHI credential leak events. Reviewed by Cremit research before publish.

full archive
  • 2026-05-19·CRITICAL9.4·confirmed

    AntV npm Account Compromise: Mini Shai-Hulud Wave Hits 323 Packages (May 2026)

    On 2026-05-19 the @antv npm publisher session was used to ship 639 malicious versions across 323 packages, the Mini Shai-Hulud campaign now totals 1,055 versions across 502 packages.

    vector / npm supply chainplatforms / npm, GitHub, AWS, +2read / 22 min
  • 2026-05-12·CRITICAL9.5·confirmed

    Mini Shai-Hulud npm Worm: TanStack, UiPath, Mistral AI and 169 Packages Compromised (May 2026)

    npm worm hit 373 versions across 169 packages (@tanstack, @squawk, @uipath, mistralai) via trusted-publishing OIDC abuse and a prepare-script git dep that exfiltrates cloud and registry secrets at install.

    vector / npm supply chainplatforms / npm, GitHub, AWSread / 10 min
  • 2026-05-04·HIGH7.5·confirmed

    microsop npm Cluster: Dependency-Confusion Campaign Targeting Apple Internal CI/CD (2026)

    npm publisher microsop pushed 36 versions across 6 Apple-themed packages between May 4–11, 2026, fingerprinting Apple internal CI and exfiltrating npmrc, env vars, and git origin to 12 rotating webhook.site endpoints.

    vector / Dependency confusionplatforms / npmread / 7 min
  • 2026-04-22·CRITICAL9.0·confirmed

    Bitwarden CLI Supply Chain Compromise (2026)

    A malicious build of @bitwarden/cli was published to the public npm registry for roughly 90 minutes, exfiltrating cloud tokens, SSH keys, and AI tooling credentials from CI runners and developer machines.

    vector / npm supply chainplatforms / npm, GitHub, Bitwarden, +3read / 6 min
  • 2026-04-19·HIGH7.8·confirmed

    Vercel Context.ai Incident: Environment Variables Accessed via Compromised AI Tool (2026)

    A third-party AI tool used by a Vercel employee was compromised, leading to Google Workspace takeover and access to non-sensitive environment variables in a subset of customer projects.

    vector / Third-party AI tool compromiseplatforms / Vercelread / 3 min
  • 2024-12-03·CRITICAL8.4·confirmed

    @solana/web3.js Private Key Exfiltration (2024)

    Compromised maintainer publish credentials were used to push two malicious versions of the official @solana/web3.js npm package, embedding a routine that exfiltrated private keys from any wallet using the SDK.

    vector / npm supply chainplatforms / npmread / 5 min