// token type
Indexed incidents that exposed API Key (generic). Sorted by disclosure date.
11 incidents indexed
On 2026-05-19 the @antv npm publisher session was used to ship 639 malicious versions across 323 packages, the Mini Shai-Hulud campaign now totals 1,055 versions across 502 packages.
npm worm hit 373 versions across 169 packages (@tanstack, @squawk, @uipath, mistralai) via trusted-publishing OIDC abuse and a prepare-script git dep that exfiltrates cloud and registry secrets at install.
A malicious build of @bitwarden/cli was published to the public npm registry for roughly 90 minutes, exfiltrating cloud tokens, SSH keys, and AI tooling credentials from CI runners and developer machines.
A third-party AI tool used by a Vercel employee was compromised, leading to Google Workspace takeover and access to non-sensitive environment variables in a subset of customer projects.
Compromised maintainer publish credentials were used to push two malicious versions of the official @solana/web3.js npm package, embedding a routine that exfiltrated private keys from any wallet using the SDK.
Malware on a CircleCI engineer's laptop stole a 2FA-backed session token, giving the attacker production access to customer environment variables and any secrets stored in CircleCI.
A subcontractor uploaded T-Connect source code to a public GitHub repository for nearly five years, exposing a database access key for ~296,000 customer records.
Two long-unmaintained npm packages — rc and coa, with combined weekly downloads in the tens of millions — were hijacked the same day and shipped credential-harvesting payloads matching ua-parser-js.
An attacker took over the maintainer account of ua-parser-js — a package with ~7M weekly downloads — and shipped versions containing a credential stealer (Windows) and a cryptominer (Linux).
Threat actors modified Codecov's Bash Uploader to exfiltrate environment variables containing tokens, credentials, and keys from CI/CD pipelines across roughly 29,000 affected organizations.
A new maintainer of the popular event-stream npm package added a malicious sub-dependency, flatmap-stream, that exfiltrated cryptocurrency wallet seeds from Copay-derived applications.
