// 공격 벡터
주요 공격 벡터가 npm supply chain로 분류된 모든 인덱싱 사고. 공개 일자 기준 정렬.
8건 인덱싱됨
On 2026-05-19 the @antv npm publisher session was used to ship 639 malicious versions across 323 packages, the Mini Shai-Hulud campaign now totals 1,055 versions across 502 packages.
npm worm hit 373 versions across 169 packages (@tanstack, @squawk, @uipath, mistralai) via trusted-publishing OIDC abuse and a prepare-script git dep that exfiltrates cloud and registry secrets at install.
A malicious build of @bitwarden/cli was published to the public npm registry for roughly 90 minutes, exfiltrating cloud tokens, SSH keys, and AI tooling credentials from CI runners and developer machines.
Compromised maintainer publish credentials were used to push two malicious versions of the official @solana/web3.js npm package, embedding a routine that exfiltrated private keys from any wallet using the SDK.
Two long-unmaintained npm packages — rc and coa, with combined weekly downloads in the tens of millions — were hijacked the same day and shipped credential-harvesting payloads matching ua-parser-js.
An attacker took over the maintainer account of ua-parser-js — a package with ~7M weekly downloads — and shipped versions containing a credential stealer (Windows) and a cryptominer (Linux).
A new maintainer of the popular event-stream npm package added a malicious sub-dependency, flatmap-stream, that exfiltrated cryptocurrency wallet seeds from Copay-derived applications.
An attacker stole an ESLint maintainer's npm credentials and published a malicious eslint-scope version that exfiltrated developer .npmrc tokens to a remote server.
