Overview

• GitHub and the npm security team have removed or blocked more than 500 malicious releases, with researchers reporting the list of affected packages continues to grow.
• Socket and CERT confirm that packages tied to CrowdStrike’s npm account were among those compromised, prompting users to review and roll back impacted dependencies.
• The campaign executes a bundle.js during installation to run TruffleHog and harvest GitHub personal access tokens, npm tokens, and cloud service keys, with some stolen credentials later exposed on GitHub.
• Attackers leveraged CI/CD infrastructure, including GitHub Actions, to automate re-publication of trojanized packages, mirroring techniques seen in recent npm incidents.
• Advisories from CERT, CISA, and India’s CERT-In urge immediate credential rotation, disabling install scripts where feasible, dependency locking, internal registry mirroring, and tighter GitHub security controls.