pattern distribution

What credential surfaces are getting hit

Each caught package can match multiple static-analysis patterns. This view groups every match by the credential surface it targets — cloud accounts, browser stores, password managers, AI tooling, wallets, and so on. It tells you which exfiltration targets attackers are actually going after this cycle, not which ones the threat-modeling slides say they should.

358 total pattern hits across 10 categories

publisher campaigns · last 7 days · by impact

Publisher accounts whose recent catches span multiple distinct package names — the shape we see when one attacker pumps several different impersonating packages from one handle. Sorted by combined weekly downloads (the actual blast radius), not recency.

20 active

credential surfaces

What is being stolen — the headline answer.

Cloud credentials

rss3 hits

Source control / registries

rss4 hits

Browsers

rss1 hits

reads-chromium-creds1

Crypto wallets

rss1 hits

reads-seed-phrase1

AI tooling

rss2 hits

reads-ai-api-keys2

Messaging / chat

rss1 hits

discord-webhook1

behavior patterns

How the exfiltration works — execution, network, staging.

System reconnaissance

59 hits

Suspicious network destinations

170 hits

Code execution / obfuscation

70 hits

Data staging

47 hits