Overview

• The campaign impacts more than 40 npm packages across multiple maintainers, widening the scope from an earlier disclosure that cited 18 widely used libraries.
• Malicious releases employ an NpmModule.updatePackage routine to alter tarballs, inject a local bundle.js script, repack them, and republish to the registry.
• The injected code downloads and runs TruffleHog to locate GITHUB_TOKEN, NPM_TOKEN, and AWS credentials on Windows and Linux hosts, exfiltrating results to a webhook[.]site endpoint.
• Harvested tokens are abused to write rogue .github/workflows entries that persist beyond the initial machine, enabling future CI runs to continue exfiltration.
• Researchers urge developers to audit environments, rotate exposed secrets, and remove unauthorized workflows, while the Rust project separately warned of a crates.io-themed phishing lure.