Cremit
/incidentsfield log
CatchesCampaignsExfilPatternsLLMIncidentsMethodology
↺rss↗cremit.io

incidents.cremit.io

A reference feed of real-world Non-Human Identity (NHI) credential leak incidents. Maintained by Cremit.

Browse

  • All incidents
  • npm supply chain
  • CI/CD compromise
  • Methodology

Subscribe

  • RSS feed
  • @cremit_io
  • GitHub
// status
monitor active
// build
2026-05-20
// origin
cremit · seoul, kr
// license
CC BY 4.0

© 2026 Cremit. content reuse encouraged with attribution.

pattern distribution

What credential surfaces are getting hit

Each caught package can match multiple static-analysis patterns. This view groups every match by the credential surface it targets — cloud accounts, browser stores, password managers, AI tooling, wallets, and so on. It tells you which exfiltration targets attackers are actually going after this cycle, not which ones the threat-modeling slides say they should.

469 total pattern hits across 10 categories

publisher campaigns · last 7 days · by impact

Publisher accounts whose recent catches span multiple distinct package names — the shape we see when one attacker pumps several different impersonating packages from one handle. Sorted by combined weekly downloads (the actual blast radius), not recency.

20 active
  • npm publisher
    wang1212
    blast
    387K/wk
    30 pkgs · 30 events · top 267K/wk
    @antv/g-canvas@antv/g-canvaskit@antv/g-lite@antv/g-lottie-player@antv/g-math@antv/g-mobile-canvas+24
  • npm publisher
    moayuisuda
    blast
    354K/wk
    2 pkgs · 2 events · top 354K/wk
    @antv/component@antv/g2
  • npm publisher
    kopiluwaky
    blast
    200K/wk
    4 pkgs · 4 events · top 199K/wk
    @antv/algorithm@antv/g6-plugin-map-view@antv/gi-assets-xlab@antv/matrix-util
  • npm publisher
    panyuqi
    blast
    173K/wk
    24 pkgs · 24 events · top 170K/wk
    @antv/a8@antv/attr@antv/d3-color@antv/d3-interpolate@antv/g-layout-blocklike@antv/g-css-typed-om-api+18
  • npm publisher
    banxuan
    blast
    152K/wk
    5 pkgs · 5 events · top 82K/wk
    @antv/g6-pc@antv/g6-element@antv/g6-plugin@antv/gi-sdk@antv/graphin
  • npm publisher
    kasmine
    blast
    144K/wk
    2 pkgs · 2 events · top 144K/wk
    @antv/adjust@antv/dom-util
  • npm publisher
    alex_zjt
    blast
    125K/wk
    21 pkgs · 21 events · top 63K/wk
    @antv/g-gesture@antv/g-image-exporter@antv/g-camera-api@antv/g-components@antv/g-dom-mutation-observer-api@antv/g-mobile-canvas-element+15
  • npm publisher
    atool
    blast
    124K/wk
    45 pkgs · 45 events · top 120K/wk
    @antv/color-util@antv/data-set@antv/event-emitter@antv/g-perf@antv/g2-extension-plot@antv/g2-ssr+39
  • npm publisher
    lzxue
    blast
    102K/wk
    20 pkgs · 20 events · top 50K/wk
    @antv/dipper-component@antv/dipper-hooks@antv/g-device-api@antv/l7-map@antv/geo-coord@antv/l7-leaflet+14
  • npm publisher
    iaaron
    blast
    81K/wk
    28 pkgs · 28 events · top 71K/wk
    @antv/awards@antv/g6-cli@antv/g6-core@antv/g6-extension-3d@antv/g6-extension-react@antv/g6-react-node+22
  • npm publisher
    newbyvector
    blast
    68K/wk
    20 pkgs · 20 events · top 32K/wk
    @antv/x6-common@antv/x6-geometry@antv/x6-plugin-clipboard@antv/x6-plugin-dnd@antv/x6-plugin-export@antv/x6-plugin-history+14
  • npm publisher
    yiqianyao
    blast
    49K/wk
    2 pkgs · 2 events · top 49K/wk
    @antv/async-hook@antv/l7-pass
  • npm publisher
    lvisei
    blast
    8.5K/wk
    9 pkgs · 9 events · top 8.3K/wk
    @antv/li-core-assets@antv/li-editor@antv/l7-composite-layers@antv/li-p2@antv/li-sdk@antv/l7plot-component+3
  • npm publisher
    GitHub Actions
    blast
    7.7K/wk
    5 pkgs · 5 events · top 7.7K/wk
    @antv/dumi-theme-antv@antv/mcp-server-antv@antv/s2-vue@antv/s2@cap-js/openapi
  • npm publisher
    zengyue
    blast
    6.9K/wk
    15 pkgs · 15 events · top 6.7K/wk
    @antv/f2-graphic@antv/f-charts@antv/f2-my@antv/f-test-utils@antv/f2-algorithm@antv/f2-context+9
  • npm publisher
    58bits
    blast
    1.8K/wk
    1 pkg · 4 events · top 1.8K/wk
    @byline/host-tanstack-start
  • npm publisher
    neoddish
    blast
    239/wk
    7 pkgs · 7 events · top 239/wk
    @antv/ckb@antv/color-schema@antv/data-samples@antv/data-wizard@antv/lite-insight@antv/thumbnails-component+1
  • npm publisher
    bbsqq
    blast
    208/wk
    5 pkgs · 5 events · top 208/wk
    @antv/ava-react@antv/narrative-text-editor@antv/narrative-text-schema@antv/narrative-text-vis@antv/word-scale-chart
  • npm publisher
    openwayne
    blast
    149/wk
    11 pkgs · 11 events · top 56/wk
    @antv/f6-alipay@antv/f6-core@antv/f6-element@antv/f6-hammerjs@antv/f6-plugin@antv/f6-ui+5
  • npm publisher
    ddjidd5640
    blast
    146/wk
    3 pkgs · 3 events · top 146/wk
    env-security-scannerdefi-threat-scannerweb3-secrets-detector

credential surfaces

What is being stolen — the headline answer.

Cloud credentials

rss9 hits
  • reads-aws-creds6
  • reads-apple-cloudkit3

Source control / registries

rss4 hits
  • reads-npmrc2
  • reads-github-tokens1
  • reads-gitlab-tokens1

Browsers

rss15 hits
  • reads-chromium-creds15

Crypto wallets

rss3 hits
  • reads-seed-phrase3

AI tooling

rss7 hits
  • reads-ai-api-keys5
  • reads-mcp-config2

Messaging / chat

rss1 hits
  • discord-webhook1

behavior patterns

How the exfiltration works — execution, network, staging.

System reconnaissance

91 hits
  • reads-env-vars52
  • reads-homedir22
  • reads-system-info14
  • reads-shell-history3

Suspicious network destinations

190 hits
  • public-github-push171
  • dns-tunneling14
  • webhook-bin3
  • http-to-public-ip2

Code execution / obfuscation

88 hits
  • child-process-spawn61
  • base64-decode12
  • function-constructor4
  • long-base64-literal3
  • eval-dynamic3
  • long-hex-literal2
  • curl-pipe-bash1
  • hex-decode1
  • reverse-shell1

Data staging

61 hits
  • clipboard-access16
  • dest-via-hostname-var13
  • install-path-npm-publish12
  • archive-then-upload5
  • py-pip-install-runtime3
  • py-urllib-request2
  • py-sys-platform-branch2
  • oversize-tarball-skipped1
  • mcp-skill-bundle1
  • curl-pipe-bash-unverified1
  • bun-runtime-bootstrap1
  • wget-pipe-bash-unverified1
  • py-socket-connect1
  • invokes-secret-scanner1
  • claude-agent-config-injection1