Hijacked npm Developer Accounts Distribute Malware to Steal API Keys and Passwords
What Happened — Sonatype discovered a coordinated campaign in which threat actors compromised npm developer accounts and published malicious packages. The packages contain code that harvests API keys, passwords, and other credentials from downstream projects.
Why It Matters for TPRM —
- Supply‑chain compromise can propagate to any organization that consumes the polluted npm modules.
- Credential‑stealing payloads enable further lateral movement and data exfiltration across the vendor ecosystem.
- The attack surface includes both internal development teams and third‑party SaaS products that rely on open‑source components.
Who Is Affected — Technology & SaaS firms, cloud‑native developers, API‑centric platforms, and any organization that incorporates npm packages into production code.
Recommended Actions —
- Audit all npm dependencies for recently published versions from newly created or recently updated accounts.
- Enforce strict provenance checks (e.g., npm’s
npm audit, Sigstore, or SBOM validation). - Rotate any API keys or passwords that may have been exposed and implement secret‑management controls.
Technical Notes — Attack vector: hijacked developer accounts (third‑party dependency). No specific CVE cited. Malware extracts API keys, passwords, and other secrets from the host environment. Source: HackRead