Cremit
/incidentsfield log
CatchesCampaignsExfilPatternsLLMIncidentsMethodology
↺rss↗cremit.io

incidents.cremit.io

A reference feed of real-world Non-Human Identity (NHI) credential leak incidents. Maintained by Cremit.

Browse

  • All incidents
  • npm supply chain
  • CI/CD compromise
  • Methodology

Subscribe

  • RSS feed
  • @cremit_io
  • GitHub
// status
monitor active
// build
2026-05-20
// origin
cremit · seoul, kr
// license
CC BY 4.0

© 2026 Cremit. content reuse encouraged with attribution.

home/token-types/signing-key

// token type

Signing Key leaks

Indexed incidents that exposed Signing Key. Sorted by disclosure date.

4 incidents indexed

  • 2024-12-03·CRITICAL8.4·confirmed

    @solana/web3.js Private Key Exfiltration (2024)

    Compromised maintainer publish credentials were used to push two malicious versions of the official @solana/web3.js npm package, embedding a routine that exfiltrated private keys from any wallet using the SDK.

    vector / npm supply chainplatforms / npmread / 5 min
  • 2021-11-04·CRITICAL8.7·confirmed

    rc and coa Coordinated npm Account Takeover (2021)

    Two long-unmaintained npm packages — rc and coa, with combined weekly downloads in the tens of millions — were hijacked the same day and shipped credential-harvesting payloads matching ua-parser-js.

    vector / npm supply chainplatforms / npmread / 5 min
  • 2021-10-22·CRITICAL8.8·confirmed

    ua-parser-js npm Account Compromise (2021)

    An attacker took over the maintainer account of ua-parser-js — a package with ~7M weekly downloads — and shipped versions containing a credential stealer (Windows) and a cryptominer (Linux).

    vector / npm supply chainplatforms / npmread / 5 min
  • 2018-11-26·HIGH7.4·confirmed

    event-stream / flatmap-stream Backdoor (2018)

    A new maintainer of the popular event-stream npm package added a malicious sub-dependency, flatmap-stream, that exfiltrated cryptocurrency wallet seeds from Copay-derived applications.

    vector / npm supply chainplatforms / npmread / 4 min