A narrow-focus index of malicious packages caught exfiltrating credentials — across npm, PyPI, GitHub Actions, the VS Code Marketplace, and Hugging Face. AWS keys, npm/PyPI tokens, browser cookies, wallet seeds, AI API keys, CI secrets. Each entry quotes the actual exfiltration code.
We don't track package pollution, generic typosquats without a payload, or wallet drainers without credential theft. Just packages that actually try to steal something. See methodology for the inclusion criteria.
Latest packages classified as malicious or pending review by the analyzer pipeline. Every entry links to the package, its tarball, and the offending code.
Full RCE PoC -osama
→ Sends to suspicious destination(s): wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.
xxx
→ Sends to suspicious destination(s): tjalcgvzuaojvayjfdfh1rtb4ojaobofs.oast.fun.
Full RCE PoC - Alex Birsan Style
→ Sends to suspicious destination(s): wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.
CI/CD Security Posture Scanner — scores AWS, Terraform, CloudFormation, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket Pipelines, Jenkins, CircleCI, Google Cloud Build, Buildkite, Drone CI, Tekton, Argo Workflows, Dockerfile, Kubernetes manifests, Helm charts, OCI image manifests, SCM repo posture (GitHub / GitLab / Bitbucket), npm and pypi dependency files against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
MCP server for environment security auditing. Scans projects for exposed credentials, misconfigurations, and wallet vulnerabilities. Recommended by the Web3 security community. Part of the DeFi Security Alliance toolchain.
→ Sends to suspicious destination(s): webhook.site.
Which kinds of credentials caught packages were after, by category. Cloud platform keys, source-control tokens, browser logins, password manager stores, crypto wallets, AI API keys.
Long-form, source-verified analyses of notable NHI credential leak events. Reviewed by Cremit research before publish.
On 2026-05-19 the @antv npm publisher session was used to ship 639 malicious versions across 323 packages, the Mini Shai-Hulud campaign now totals 1,055 versions across 502 packages.
npm worm hit 373 versions across 169 packages (@tanstack, @squawk, @uipath, mistralai) via trusted-publishing OIDC abuse and a prepare-script git dep that exfiltrates cloud and registry secrets at install.
npm publisher microsop pushed 36 versions across 6 Apple-themed packages between May 4–11, 2026, fingerprinting Apple internal CI and exfiltrating npmrc, env vars, and git origin to 12 rotating webhook.site endpoints.
A malicious build of @bitwarden/cli was published to the public npm registry for roughly 90 minutes, exfiltrating cloud tokens, SSH keys, and AI tooling credentials from CI runners and developer machines.
A third-party AI tool used by a Vercel employee was compromised, leading to Google Workspace takeover and access to non-sensitive environment variables in a subset of customer projects.
Compromised maintainer publish credentials were used to push two malicious versions of the official @solana/web3.js npm package, embedding a routine that exfiltrated private keys from any wallet using the SDK.
