CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

First reported
Last updated
5 unique sources, 17 articles

Summary

Hide ▲

The **UNC6426** threat actor has weaponized credentials stolen during the August 2025 **nx npm supply-chain attack** to execute a rapid cloud breach, escalating from a compromised GitHub token to **full AWS administrator access in under 72 hours**. By abusing GitHub-to-AWS OpenID Connect (OIDC) trust, the attacker deployed a new IAM role with `AdministratorAccess`, exfiltrated S3 bucket data, terminated production EC2/RDS instances, and **publicly exposed the victim’s private repositories** under the `/s1ngularity-repository-[randomcharacters]` naming scheme. This follows the broader *Shai-Hulud* and *SANDWORM_MODE* campaigns, which collectively compromised **over 400,000 secrets** via trojanized npm packages, GitHub Actions abuse, and AI-assisted credential harvesting (e.g., QUIETVAULT malware leveraging LLM tools). The attack chain began with the **Pwn Request** exploitation of a vulnerable `pull_request_target` workflow in nx, leading to trojanized package publication and theft of GitHub Personal Access Tokens (PATs). UNC6426 later used tools like **Nord Stream** to extract CI/CD secrets, highlighting the risks of **overprivileged OIDC roles** and **standing cloud permissions**. Researchers warn of escalating supply chain risks, including **self-propagating worms** (Shai-Hulud), **PackageGate vulnerabilities** bypassing npm defenses, and **AI-assisted prompt injection** targeting developer workflows. Mitigations include disabling postinstall scripts, enforcing least-privilege access, and rotating all credentials tied to npm, GitHub, and cloud providers.

Timeline

  1. 11.03.2026 09:31 1 articles · 23h ago

    UNC6426 Escalates nx Supply Chain Theft to AWS Breach and Data Destruction

    The **UNC6426** threat actor weaponized GitHub Personal Access Tokens (PATs) stolen during the August 2025 nx npm supply-chain attack to **fully compromise a victim’s AWS environment within 72 hours**. Beginning with reconnaissance using the stolen PAT, the attacker employed the **Nord Stream** open-source tool to extract secrets from CI/CD pipelines, including credentials for a GitHub service account. By leveraging the service account’s `--aws-role` parameter, UNC6426 generated temporary AWS STS tokens for the `Actions-CloudFormation` role—which had **overly permissive privileges**—to deploy a new AWS Stack with `AdministratorAccess`. With elevated permissions, the threat actor **exfiltrated objects from S3 buckets**, **terminated production EC2 and RDS instances**, and **decrypted application keys**. In the final stage, UNC6426 **renamed all internal GitHub repositories** to `/s1ngularity-repository-[randomcharacters]` and **made them public**, mirroring the original exfiltration repository naming scheme. The incident demonstrates the **real-world impact of supply chain credential theft**, where stolen tokens enable rapid lateral movement into cloud environments. Google’s Cloud Threat Horizons Report (H1 2026) warns that such attacks exploit **standing privileges in OIDC-linked roles** and **AI-assisted tooling** (e.g., QUIETVAULT) to evade traditional defenses.

    Show sources
    Open in new tab
  2. 23.02.2026 12:20 1 articles · 16d ago

    Concurrent Malicious npm Packages Deploy RATs and Reverse Shells

    Researchers identified two additional malicious npm packages, `buildrunner-dev` and `eslint-verify-plugin`, deploying advanced post-exploitation tooling. `buildrunner-dev` installs **Pulsar RAT**, an open-source remote access trojan delivered via a PNG image hosted on `i.ibb[.]co`, targeting Windows, macOS, and Linux systems. `eslint-verify-plugin` masquerades as a legitimate ESLint utility but deploys a **multi-stage infection chain**: on Linux, it installs a **Poseidon agent** for the Mythic C2 framework, while on macOS, it executes **Apfell** (a JXA agent) to create a new admin user and exfiltrate system data (Chrome bookmarks, iCloud Keychain, screenshots, etc.). Separately, a rogue VS Code extension, `solid281`, impersonates the official Solidity extension but drops **ScreenConnect** (Windows) or a **Python reverse shell** (macOS/Linux) upon startup. These discoveries highlight the broadening scope of supply chain attacks beyond credential theft, targeting full-system compromise and lateral movement within developer environments.

    Show sources
    Open in new tab
  3. 26.01.2026 16:02 1 articles · 1mo ago

    PackageGate Vulnerabilities Bypass NPM's Shai-Hulud Defenses via Git Dependencies

    Researchers at Koi Security discovered *PackageGate*, a collection of vulnerabilities in JavaScript package managers (npm, pnpm, Bun, vlt) that allow attackers to bypass security measures like the '--ignore-scripts' flag. The flaws enable malicious '.npmrc' files in Git dependencies to override the git binary path, achieving full code execution during installation. Bun patched the issue in version 1.3.5, while pnpm addressed two CVEs (CVE-2025-69263 and CVE-2025-69264). NPM, however, closed the report as "works as expected," arguing that users must vet package content themselves—despite the bug bounty scope explicitly covering script execution bypasses. The vulnerabilities are not theoretical: proof-of-concept exploits creating reverse shells have been observed. GitHub, npm’s operator, acknowledged ongoing registry scans for malware and urged adoption of trusted publishing and granular access tokens with enforced 2FA. The findings underscore persistent risks in npm’s security model, particularly for Git-based dependencies, which could enable attackers to circumvent post-Shai-Hulud mitigations.

    Show sources
    Open in new tab
  4. 02.12.2025 21:06 1 articles · 3mo ago

    Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

    The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM registry and publishing stolen data in 30,000 GitHub repositories. Although just about 10,000 of the exposed secrets were verified as valid by the open-source TruffleHog scanning tool, researchers at cloud security platform Wiz say that more than 60% of the leaked NPM tokens were still valid as of December 1st. The Shai-Hulud threat emerged in mid-September, compromising 187 NPM packages with a self-propagating payload that identified account tokens using TruffleHog, injected a malicious script into the packages, and automatically published them on the platform. In the second attack, the malware impacted over 800 packages (counting all infected versions of a package) and included a destructive mechanism that wiped the victim’s home directory if certain conditions were met. The malware used TruffleHog without the 'only-verified' flag, meaning that the 400,000 exposed secrets match a known format and may not be valid or usable anymore. Analysis of 24,000 environment.json files showed that roughly half of them were unique, with 23% corresponding to developer machines, and the rest coming from CI/CD runners and similar infrastructure. Most of the infected machines, 87% of them, are Linux systems, while most infections (76%) were on containers. Regarding the CI/CD platform distribution, GitHub Actions led by far, followed by Jenkins, GitLab CI, and AWS CodeBuild. The top package was @postman/[email protected], followed by @asyncapi/[email protected]. These two packages together accounted for more than 60% of all the infections. Wiz believes that the perpetrators behind Shai-Hulud will continue to refine and evolve their techniques, and predicts that more attack waves will emerge in the near future, potentially leveraging the massive credential trove harvested so far.

    Show sources
    Open in new tab
  5. 24.11.2025 15:03 9 articles · 3mo ago

    Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

    The second wave of the Shai-Hulud attack, *Sha1-Hulud*, compromised over 800 npm packages and exposed 400,000 raw secrets across 30,000 GitHub repositories, with 60% of leaked NPM tokens remaining valid as of December 2025. The malware introduced a preinstall script (setup_bun.js) that installed the Bun runtime to evade Node.js-focused defenses, registered infected machines as self-hosted GitHub runners, and exfiltrated credentials via dynamically named repositories. Analysis revealed 87% of infections occurred on Linux systems, predominantly in containers, with GitHub Actions being the most exploited CI/CD platform. *Update*: Subsequent research identified *PackageGate*, a set of vulnerabilities in npm, pnpm, Bun, and vlt that allow attackers to bypass the '--ignore-scripts' defense via Git dependencies. Malicious '.npmrc' files can override the git binary path, enabling arbitrary code execution even when scripts are disabled. While Bun, pnpm, and vlt patched these flaws, npm rejected the vulnerability report, citing user responsibility for package vetting. Proof-of-concept exploits demonstrate active abuse of this technique. *Update (February 2026)*: A third wave, *SANDWORM_MODE*, deployed 19 new malicious packages (e.g., `claud-code`, `secp256`) under publisher aliases *official334* and *javaorg*. This iteration expands credential theft to include **cryptocurrency keys**, **LLM API tokens** (Anthropic, OpenAI, Mistral, etc.), and **AI coding assistant compromise** via MCP server injection. The attack uses a two-stage payload with a 48-hour delay for deeper persistence, alongside a **polymorphic obfuscation engine** (currently inactive) and a **destructive wiper routine** triggered upon losing GitHub/npm access. Four sleeper packages (e.g., `ethres`, `iru-caches`) were also identified as part of the campaign infrastructure. *New Development*: The SANDWORM_MODE campaign spreads via **typosquatting packages** (e.g., `[email protected]` mimicking `supports-color`) and injects **rogue MCP servers** into AI assistant configurations (Claude Desktop, Cursor, VS Code Continue). The malware uses **layered obfuscation** (base64, zlib, AES-256-GCM) and a **three-channel exfiltration cascade**: Cloudflare Worker endpoints, private GitHub repositories, and DNS tunneling. Cloudflare, npm, and GitHub have mitigated the infrastructure, but developers are urged to rotate credentials and audit repositories for unauthorized modifications.

    Show sources
    Open in new tab
  6. 16.09.2025 23:02 2 articles · 5mo ago

    Shai-Hulud Self-Replication Mechanism Detailed

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab
  7. 16.09.2025 08:00 4 articles · 5mo ago

    Shai-Hulud Attack Compromises Over 40 npm Packages

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab
  8. 06.09.2025 17:11 1 articles · 6mo ago

    Nx Team Publishes Root Cause Analysis and Adopts New Security Measures

    The Nx team published a root cause analysis detailing the pull request title injection and insecure use of pull_request_target. Nx has adopted NPM's Trusted Publisher model and added manual approval for PR-triggered workflows to prevent future compromises.

    Show sources
    Open in new tab
  9. 28.08.2025 13:36 6 articles · 6mo ago

    Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The attack exploited a vulnerable `pull_request_target` workflow in the nx package (a technique dubbed *Pwn Request*), allowing threat actors to obtain elevated privileges, steal a `GITHUB_TOKEN`, and publish trojanized versions embedding the **QUIETVAULT** credential stealer. The malware siphoned environment variables, system data, and GitHub PATs by weaponizing LLM tools already present on developer endpoints, exfiltrating data to public repositories named `/s1ngularity-repository-1`. *Update (March 2026)*: The **UNC6426** threat actor leveraged stolen GitHub tokens from this incident to breach a victim’s **AWS cloud environment in under 72 hours**. By abusing GitHub-to-AWS OIDC trust, the attacker created an **administrator IAM role**, exfiltrated S3 bucket data, terminated production EC2/RDS instances, and **renamed internal repositories to `/s1ngularity-repository-[randomcharacters]` before making them public**. The post-compromise activity used the **Nord Stream** tool to extract CI/CD secrets and exploited an **overprivileged GitHub-Actions-CloudFormation role** to escalate privileges. This marks the first confirmed case of **cloud environment destruction** stemming from the nx/Shai-Hulud supply chain attack.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious Rust Crates and AI Bot Target CI/CD Pipelines to Steal Secrets

Five malicious Rust crates were discovered masquerading as time-related utilities to exfiltrate .env files containing sensitive developer secrets. Additionally, an AI-powered bot named hackerbot-claw targeted CI/CD pipelines in major open-source repositories to harvest developer secrets. The Rust crates were published between late February and early March 2026, while the AI bot campaign occurred between February 21 and February 28, 2026. The impact includes potential compromise of downstream users and deeper access to environments, including cloud services and GitHub tokens.

Open in new tab

Critical Zero-Click RCE Vulnerability in FreeScout Helpdesk Platform

A critical zero-click remote code execution (RCE) vulnerability (CVE-2026-28289) in FreeScout helpdesk platform allows attackers to hijack mail servers by sending a crafted email. The flaw bypasses a previous fix for another RCE issue (CVE-2026-27636) and enables unauthenticated command execution on the server. FreeScout versions up to 1.8.206 are affected, and immediate patching to version 1.8.207 is recommended. The vulnerability leverages a zero-width space (Unicode U+200B) to bypass security checks, allowing malicious file uploads and subsequent exploitation. Over 1,100 publicly exposed FreeScout instances are at risk, with potential impacts including full server compromise, data breaches, and lateral movement. Ox Security discovered a patch bypass that allowed reproduction of the same RCE on newly updated servers and escalated the attack chain to a zero-click RCE. The PHP-based Laravel framework, on which FreeScout is based, has over 83,000 GitHub stars and around 13,000 publicly exposed servers.

Open in new tab

Coruna iOS Exploit Kit Targets iOS 13–17.2.1 with 23 Exploits

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025. The exploit kit includes a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds. It uses custom encryption and compression methods to deliver payloads and is ineffective against the latest iOS versions. CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering federal agencies to patch the vulnerabilities by March 26, 2026. CISA also urged all organizations to prioritize patching these flaws to secure their devices against attacks.

Open in new tab

ClawJacked Flaw in OpenClaw Enables Local AI Agent Hijacking via WebSocket

A high-severity vulnerability in OpenClaw, codenamed ClawJacked, allows malicious websites to hijack locally running AI agents through WebSocket connections. The flaw exploits missing rate-limiting and auto-approval of trusted devices, enabling attackers to take control of the AI agent. OpenClaw has released a fix in version 2026.2.25, urging users to update immediately and enforce strict governance controls. The vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface, allowing attackers to brute-force the management password and gain admin-level permissions. Once authenticated, attackers can interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs. The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections.

Open in new tab

AI-Assisted Hacker Breaches 600 FortiGate Firewalls in 5 Weeks

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile. The campaign targeted healthcare, government, and managed service providers. The attackers exploited vulnerabilities CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. The attackers created a new local administrator account named "support" and set up four new firewall policies allowing unrestricted access. The attackers periodically checked device accessibility, consistent with initial access broker (IAB) behavior. The attackers extracted configuration files containing encrypted service account LDAP credentials. The attackers authenticated to the AD using clear text credentials from the fortidcagent service account. The attackers enrolled rogue workstations in the AD, allowing deeper access. The attackers deployed remote access tools like Pulseway and MeshAgent. The attackers downloaded malware from a cloud storage bucket via PowerShell from AWS infrastructure. The Java malware was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server (172.67.196[.]232) over port 443.

Open in new tab