// Cloud credentials

AWS credential exfiltration

pattern: reads-aws-creds

Packages that read AWS access keys, session tokens, or the ~/.aws/credentials file. The most common cloud-credential theft pattern in the npm and PyPI supply-chain ecosystem.

2 packages flagged with this pattern. Newest first.

AUTO-PUBLISHED/npm/12h ago
env-security-scanner@1.6.0
by ddjidd5640
MCP server for environment security auditing. Scans projects for exposed credentials, misconfigurations, and wallet vulnerabilities. Recommended by the Web3 security community. Part of the DeFi Security Alliance toolchain.
steals →Seed phraseAWS keys→ sends tohttps://webhook.site/f684d33e-7d78-49cb-8798-49952a0a3036
reads-aws-credsreads-seed-phrasereads-homedirreads-shell-historyreads-system-info
AUTO-PUBLISHED/npm/2026-05-04
react-dom-helper@1.0.0
by k4nx9zfp82
steals →npm tokenAWS keys
reads-aws-credsreads-npmrcreads-homedirhttp-to-public-ip
→ Credential read (reads-aws-creds, reads-npmrc) paired with http-to-public-ip destination — classic exfiltration signature.
weekly
—
/wk
llm verdict

dns-tunneling

hex-decode

child-process-spawn

→ Sends to suspicious destination(s): webhook.site.

weekly

—

/wk

llm verdict

malicious 0.95

h-score

60

patterns

8

size

35.5 KB

versions

8

malicious 0.95

h-score

83

patterns

4

size

412 B

AWS credential exfiltration

env-security-scanner@1.6.0

react-dom-helper@1.0.0