Overview
- The operation began in August and has amassed more than 86,000 downloads, with about 80 packages still available on the registry, according to researchers.
- Packages declare zero dependencies yet use remote dynamic dependencies to pull attacker-hosted code during npm install, evading static analysis and registry scans.
- The payload profiles hosts, reads environment variables, and targets tokens for npm, GitHub Actions, GitLab, Jenkins, and CircleCI, exfiltrating data via HTTP GET/POST and WebSockets.
- Attackers rely on slopsquatting by registering plausible, previously nonexistent names that large language models may recommend to developers.
- Koi Security published indicators of compromise and a full list of affected packages, and it described the infrastructure as sloppy enough to link activity to a single individual.