/incidentsfield log

Catches Campaigns Exfil Patterns LLM Incidents Methodology

↺rss ↗cremit.io

incidents.cremit.io

A reference feed of real-world Non-Human Identity (NHI) credential leak incidents. Maintained by Cremit.

Browse

All incidents
npm supply chain
CI/CD compromise
Methodology

Subscribe

RSS feed
@cremit_io
GitHub

// status

monitor active

// build

2026-05-20

// origin

cremit · seoul, kr

// license

© 2026 Cremit. content reuse encouraged with attribution.

home/token-types/ssh-private-key

// token type

SSH Private Key leaks

Indexed incidents that exposed SSH Private Key. Sorted by disclosure date.

3 incidents indexed

2026-05-19·CRITICAL9.4·confirmed
AntV npm Account Compromise: Mini Shai-Hulud Wave Hits 323 Packages (May 2026)
On 2026-05-19 the @antv npm publisher session was used to ship 639 malicious versions across 323 packages, the Mini Shai-Hulud campaign now totals 1,055 versions across 502 packages.
vector / npm supply chainplatforms / npm, GitHub, AWS, +2read / 22 min
2026-05-04·HIGH7.5·confirmed
microsop npm Cluster: Dependency-Confusion Campaign Targeting Apple Internal CI/CD (2026)
npm publisher microsop pushed 36 versions across 6 Apple-themed packages between May 4–11, 2026, fingerprinting Apple internal CI and exfiltrating npmrc, env vars, and git origin to 12 rotating webhook.site endpoints.
vector / Dependency confusionplatforms / npmread / 7 min
2026-04-22·CRITICAL9.0·confirmed
Bitwarden CLI Supply Chain Compromise (2026)
A malicious build of @bitwarden/cli was published to the public npm registry for roughly 90 minutes, exfiltrating cloud tokens, SSH keys, and AI tooling credentials from CI runners and developer machines.
vector / npm supply chainplatforms / npm, GitHub, Bitwarden, +3read / 6 min