Packages that read ~/.ssh/id_rsa, id_ed25519, authorized_keys, or known_hosts. Used to enable lateral movement to git remotes and SSH-accessible production systems.
9 packages flagged with this pattern (19 total publish events, collapsed by publisher+name). Newest first.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.