Cremit
/incidentsfield log
탐지캠페인유출지패턴LLM사고 사례방법론
↺rss↗cremit.io

incidents.cremit.io

실제 발생한 비인간 식별자(NHI) 크리덴셜 유출 사고를 정리한 인덱스. 운영: Cremit

둘러보기

  • 전체 사고
  • npm 공급망
  • CI/CD 침해
  • 방법론

구독

  • RSS 피드
  • @cremit_io
  • GitHub
// 상태
모니터 가동중
// 빌드
2026-07-04
// 출처
cremit · 서울, 대한민국
// 라이선스
CC BY 4.0

© 2026 Cremit. 출처 표시 시 자유롭게 재사용 가능.

home/campaigns/npm/nidaye0525

// publisher 캠페인 · npm

nidaye0525

npm의 nidaye0525 계정이 publish한 catch 패키지 전체와, registry가 현재 노출하는 author·maintainer 정보. 같은 이메일이나 이름이 여러 패키지에 걸쳐 등장하면, 한 명이 여러 throwaway 계정을 운영한다는 강한 증거입니다.

↗npmjs.com publisher↗pypi.org user
패키지
2
고유 이름 수
탐지 이벤트
2
버전 × 이름
blast
—
주간 다운로드 합계
활동 기간
2026-06-05 → 2026-06-05
최초 → 최근 탐지

// publisher OSINT

이 계정 자체에 대한 시그널. 활동 기간이 짧으면 throwaway 가능성이 큽니다. 이메일 도메인을 보면 단발 webmail인지 진짜 조직 메일인지 한눈에 갈리고, 같은 핸들이 여러 registry에 있으면 같은 운영자라고 볼 강한 근거가 됩니다. GitHub 링크가 잡히면 실명 식별까지 곧장 이어집니다.

npm 활동
  • registry 패키지 수: 41
  • 최초 publish: 2026-06-05
  • 최근 publish: 2026-06-07
  • 활동 기간: 2일
다른 registry의 같은 핸들
  • npm /~nidaye0525: 존재함 ↗
  • pypi /user/nidaye0525: 존재함 ↗
  • github.com/nidaye0525: 없음
이메일 도메인
  • gmail.com×2webmail

// exfil path

what is read → where it ships
steals
  • ● npm token
  • ● GitHub PAT
  • ● AI API keys
  • ● AWS keys
  • ○ home dir
→
sends to

(no destination string extracted — payload may be dynamic / obfuscated)

Targets resolved from static-analysis flags; destinations extracted from the captured code excerpt. Full list + structured fields available in the IOC panel below.

// 공유 author 식별자

같은 이메일·이름이 캠페인 안 여러 패키지에 등장하는 경우. publisher 계정 외에 별도로 잡히는 직접적인 attribution 증거입니다.

emails
  • nidaye0525@gmail.com— @actagent/acpx, @actagent/amazon-bedrock-provider

// 패턴 풋프린트

캠페인 전반에서 어떤 정적 분석 플래그가 얼마나 자주 매칭됐는지. "이 캠페인이 결국 어떤 종류의 stealer인가"에 대한 요약 답.

  • ×2
  • ×2
  • ×1
  • ×1
  • ×1
  • ×1
  • ×1
  • ×1

// npm에 등록된 전체 활동

이 계정이 지금 registry에 올려둔 모든 패키지 (최신순). ● Cremit 파이프라인이 catch · ○ 아직 미검출.2/41 catch.

  • ○
    @actagent/zalouser@ 2026.6.5

    ACTAgent Zalo Personal Account plugin via native zca-js integration.

    2026-06-07
  • ○
    @actagent/zalo@ 2026.6.5

    ACTAgent Zalo channel plugin for bot and webhook chats.

    2026-06-07
  • ○
    @actagent/whatsapp@ 2026.6.5

    ACTAgent WhatsApp channel plugin for WhatsApp Web chats.

    2026-06-07
  • ○
    @actagent/voice-call

// 이 캠페인의 패키지

고유 이름 2개 · 최신순
  • ↳ author:maintainers: nidaye0525 <nidaye0525@gmail.com>↗ registry
  • ↳ author:maintainers: nidaye0525 <nidaye0525@gmail.com>↗ registry
@ 2026.6.5

ACTAgent voice-call plugin for Twilio, Telnyx, and Plivo phone calls.

2026-06-07
  • ○
    @actagent/twitch@ 2026.6.5

    ACTAgent Twitch channel plugin for chat and moderation workflows.

    2026-06-07
  • ○
    @actagent/tokenjuice@ 2026.6.5

    ACTAgent tokenjuice exec output compaction plugin

    2026-06-07
  • ○
    @actagent/tlon@ 2026.6.5

    ACTAgent Tlon/Urbit channel plugin for chat workflows.

    2026-06-07
  • ○
    @actagent/synology-chat@ 2026.6.5

    Synology Chat channel plugin for ACTAgent channels and direct messages.

    2026-06-07
  • ○
    @actagent/slack@ 2026.6.5

    ACTAgent Slack channel plugin for channels, DMs, commands, and app events.

    2026-06-07
  • ○
    @actagent/qqbot@ 2026.6.5

    ACTAgent QQ Bot channel plugin for group and direct-message workflows.

    2026-06-07
  • ○
    @actagent/pixverse-provider@ 2026.6.5

    ACTAgent PixVerse video generation provider plugin.

    2026-06-07
  • ○
    @actagent/openshell-sandbox@ 2026.6.5

    ACTAgent sandbox backend for the NVIDIA OpenShell CLI with mirrored local workspaces and SSH command execution.

    2026-06-07
  • ○
    @actagent/nostr@ 2026.6.5

    ACTAgent Nostr channel plugin for NIP-04 encrypted direct messages.

    2026-06-07
  • ○
    @actagent/nextcloud-talk@ 2026.6.5

    ACTAgent Nextcloud Talk channel plugin for conversations.

    2026-06-07
  • ○
    @actagent/msteams@ 2026.6.5

    ACTAgent Microsoft Teams channel plugin for bot conversations.

    2026-06-07
  • ○
    @actagent/memory-lancedb@ 2026.6.5

    ACTAgent LanceDB-backed long-term memory plugin with auto-recall, auto-capture, and vector search.

    2026-06-07
  • ○
    @actagent/mattermost@ 2026.6.5

    ACTAgent Mattermost channel plugin

    2026-06-07
  • ○
    @actagent/matrix@ 2026.6.5

    ACTAgent Matrix channel plugin for rooms and direct messages.

    2026-06-07
  • ○
    @actagent/lobster@ 2026.6.5

    Lobster workflow tool plugin for typed pipelines and resumable approvals.

    2026-06-07
  • ○
    @actagent/line@ 2026.6.5

    ACTAgent LINE channel plugin for LINE Bot API chats.

    2026-06-07
  • ○
    @actagent/irc@ 2026.6.5

    ACTAgent IRC channel plugin

    2026-06-07
  • ○
    @actagent/googlechat@ 2026.6.5

    ACTAgent Google Chat channel plugin for spaces and direct messages.

    2026-06-07
  • ○
    @actagent/google-meet@ 2026.6.5

    ACTAgent Google Meet participant plugin for joining calls through Chrome or Twilio transports.

    2026-06-07
  • ○
    @actagent/file-transfer@ 2026.6.5

    ACTAgent file transfer plugin (file_fetch, dir_list, dir_fetch, file_write)

    2026-06-07
  • ○
    @actagent/feishu@ 2026.6.5

    ACTAgent Feishu/Lark channel plugin for chats and workplace tools (community maintained by @m1heng).

    2026-06-07
  • ○
    @actagent/discord@ 2026.6.5

    ACTAgent Discord channel plugin for channels, DMs, commands, and app events.

    2026-06-07
  • ○
    @actagent/diffs@ 2026.6.5

    ACTAgent read-only diff viewer plugin and file renderer for agents.

    2026-06-07
  • ○
    @actagent/diffs-language-pack@ 2026.6.5

    ACTAgent diffs viewer syntax highlighting language pack

    2026-06-07
  • ○
    @actagent/diagnostics-prometheus@ 2026.6.5

    ACTAgent diagnostics Prometheus exporter for runtime metrics.

    2026-06-07
  • ○
    @actagent/diagnostics-otel@ 2026.6.5

    ACTAgent diagnostics OpenTelemetry exporter for metrics and traces.

    2026-06-07
  • ○
    @actagent/copilot@ 2026.6.5

    ACTAgent GitHub Copilot agent runtime plugin (registers a `github-copilot` AgentHarness backed by @github/copilot-sdk over JSON-RPC to the GitHub Copilot CLI)

    2026-06-07
  • ○
    @actagent/codex@ 2026.6.5

    ACTAgent Codex app-server harness and model provider plugin with a Codex-managed GPT catalog.

    2026-06-07
  • ○
    @actagent/brave-plugin@ 2026.6.5

    ACTAgent Brave Search provider plugin for web search.

    2026-06-07
  • ○
    @actagent/bonjour@ 2026.6.5

    ACTAgent Bonjour/mDNS gateway discovery

    2026-06-07
  • ○
    @actagent/anthropic-vertex-provider@ 2026.6.5

    ACTAgent Anthropic Vertex provider plugin for Claude models on Google Vertex AI.

    2026-06-07
  • ●
    @actagent/amazon-bedrock-provider@ 2026.6.5

    ACTAgent Amazon Bedrock provider plugin with model discovery, embeddings, and guardrail support.

    2026-06-07
  • ○
    @actagent/amazon-bedrock-mantle-provider@ 2026.6.5

    ACTAgent Amazon Bedrock Mantle provider plugin for OpenAI-compatible model routing.

    2026-06-07
  • ●
    @actagent/acpx@ 2026.6.5

    ACTAgent ACP runtime backend with plugin-owned session and transport management.

    2026-06-07
  • ○
    actagent@ 2026.6.5

    Multi-channel AI gateway with extensible messaging integrations / 多通道 AI 网关,支持可扩展的消息集成

    2026-06-07
  • ○
    @actagent/proxyline@ 0.3.3

    Process-global proxy routing for Node.js.

    2026-06-05
  • ○
    @actagent/fs-safe@ 0.3.0

    Capability-style filesystem roots for Node.js apps that handle untrusted relative paths.

    2026-06-05
  • reads-env-vars
    child-process-spawn
    reads-npmrc
    reads-github-tokens
    reads-ai-api-keys
    reads-homedir
    reads-aws-creds
    base64-decode
    AUTO-PUBLISHED/npm/2026-06-05

    @actagent/acpx@2026.6.2

    by nidaye0525

    ACTAgent ACP runtime backend with plugin-owned session and transport management.

    steals →npm tokenGitHub PATAI API keys
    reads-env-varsreads-npmrcreads-github-tokensreads-ai-api-keysreads-homedirchild-process-spawn
    weekly
    —
    /wk
    h-score
    74
    patterns
    6
    size
    398.2 KB
    versions
    1
    AUTO-PUBLISHED/npm/2026-06-05

    @actagent/amazon-bedrock-provider@2026.6.2

    by nidaye0525

    ACTAgent Amazon Bedrock provider plugin with model discovery, embeddings, and guardrail support.

    steals →AWS keys
    reads-aws-credsreads-env-varschild-process-spawnbase64-decode
    weekly
    —
    /wk
    h-score
    74
    patterns
    4
    size
    221.8 KB
    versions
    1