CloudSEK’s TRIAD team has uncovered a sophisticated npm supply chain attack involving a typosquatted package named crypto-javascri, designed to mimic the widely used crypto-js library.
The package was published on npm on May 11 and carried a Rust-based binary that harvested npm and GitHub credentials from developer machines. Once executed, it used compromised maintainer accounts to silently republish trojanized versions of legitimate packages, turning a single infected developer environment into a wider supply chain risk.
What makes this campaign significant is its use of a weaponized Arti Tor client for command-and-control. This allows the malware to operate through Tor hidden services, making it harder for defenders to block infrastructure using conventional IP, domain, or certificate-based controls.
CloudSEK found that the malware targets Linux developer systems and CI/CD environments, establishes persistence through systemd user services, and includes credential theft, crypto-wallet targeting, cryptomining indicators, and privilege escalation capability.
The broader impact is serious: one compromised developer machine or CI/CD environment could allow attackers to push malicious updates under trusted maintainer identities, exposing downstream users who install what appears to be a routine package update.
The full report is here: https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
Related
This entry was posted on May 14, 2026 at 8:47 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
npm Supply Chain Worm Uses Tor C2 to Steal Developer Credentials
CloudSEK’s TRIAD team has uncovered a sophisticated npm supply chain attack involving a typosquatted package named crypto-javascri, designed to mimic the widely used crypto-js library.
The package was published on npm on May 11 and carried a Rust-based binary that harvested npm and GitHub credentials from developer machines. Once executed, it used compromised maintainer accounts to silently republish trojanized versions of legitimate packages, turning a single infected developer environment into a wider supply chain risk.
What makes this campaign significant is its use of a weaponized Arti Tor client for command-and-control. This allows the malware to operate through Tor hidden services, making it harder for defenders to block infrastructure using conventional IP, domain, or certificate-based controls.
CloudSEK found that the malware targets Linux developer systems and CI/CD environments, establishes persistence through systemd user services, and includes credential theft, crypto-wallet targeting, cryptomining indicators, and privilege escalation capability.
The broader impact is serious: one compromised developer machine or CI/CD environment could allow attackers to push malicious updates under trusted maintainer identities, exposing downstream users who install what appears to be a routine package update.
The full report is here: https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
Share this:
Like this:
Related
This entry was posted on May 14, 2026 at 8:47 am and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.