GoKawiilModern supply chain security for the npm ecosystem. Static + behavioral analysis that catches what npm audit, Snyk, and Socket miss — obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation.
📌 The Problem
The 2025–2026 wave of npm supply chain attacks proved that traditional tooling is no longer enough.
Attackers have moved past simple typosquatting. They now ship obfuscated preinstall hooks, credential harvesters hidden behind environment detection, dormant backdoors with time-based activation, and worm-style transitive propagation that spreads through peer dependencies.
A growing attack vector is HuggingFace org impersonation — packages that masquerade as legitimate HF model repositories (e.g., 0penai/gpt2 instead of openai/gpt2 ) to trick users into downloading malicious model artifacts during CI/CD pipelines, often bundled with suspicious binaries ( .exe , .dll ) in model repos that deep-learned tools trust by default.
The Megalodon campaign (2026) alone compromised 5,500+ repositories via fake GitHub PRs, malicious workflow injection, and cloud credential exfiltration — all coordinated through a single actor automating the entire kill chain. @lateos/npm-scan now detects artifacts of this campaign out of the box.
The Mini Shai-Hulud worm campaign (May 2026) hit the npm ecosystem in three waves — TanStack CI/CD hijack (84 artifacts in 6 minutes), AntV/atool maintainer compromise (600+ malicious versions across 300+ packages), and Nx Console VS Code extension poisoning (CVE-2026-48027) — all using ctf-scramble-v2 obfuscation, daemonized persistence with CI environment checks, geographic killswitches targeting sanctioned regions, and GitHub C2 dead-drop channels for token recovery. @lateos/npm-scan now detects all 10 Mini Shai-Hulud signals across two detector suites.
The TrapDoor campaign (May 2026) spans npm, PyPI, and Crates.io — 34 malicious packages, 384+ versions attributed to a single publisher, targeting crypto, DeFi, Solana, and AI developers with Fernet + ECDH encrypted payloads, AI context poisoning via zero-width Unicode injection in .cursorrules / CLAUDE.md , and credential live-validation against AWS STS and GitHub API before exfiltration. @lateos/npm-scan now detects all 9 TrapDoor signals.
The node-ipc compromise (May 14, 2026) weaponized an expired maintainer email domain to hijack one of npm's most depended-upon packages (822K weekly downloads). Three malicious versions (9.1.6, 9.2.3, 12.0.1) delivered an 80KB credential stealer via DNS TXT tunneling — no HTTP, no postinstall hook, invisible to HTTP-layer firewalls. @lateos/npm-scan now detects all 11 node-ipc compromise signals.
The Mass Typosquatting campaign (vpmdhaj) (May 2026) weaponized the vpmdhaj npm maintainer account to publish 14 typosquatted packages in a 4-hour window — targeting AWS/CI/CD environments with preinstall stagers ( setup.mjs , stager.js ), Bun runtime abuse, and cloud credential exfiltration (AWS IMDSv2, ECS task roles, Vault, GitHub tokens). @lateos/npm-scan now detects all 3 typosquatting campaign signals.
... continue reading