170 Npm Packages Hijacked to Steal GitHub, AWS & Kubernetes Secrets

Supply‑chain attacks have become a headline‑grabbing threat vector, and the npm ecosystem sits at the epicenter due to its massive developer base and open‑source nature. With more than 200 million weekly installations, a single compromised package can infiltrate thousands of projects in minutes, amplifying the potential damage. The recent hijacking of over 170 npm modules—paired with two PyPI libraries—demonstrates how attackers exploit the trust placed in package registries, turning routine dependency installs into covert intrusion points that can siphon high‑value cloud credentials and private code.

Technical analysis reveals a sophisticated multi‑stage payload. Each malicious npm package carries a pre‑install script that silently fetches a runtime loader, which then decrypts an obfuscated JavaScript payload using PBKDF2‑SHA256 and AES‑256. The code harvests GitHub Actions tokens, npm publishing credentials, AWS metadata, Kubernetes service‑account tokens, Vault tokens, and even passwords from 1Password and Bitwarden. Unlike classic stealers, the malware also searches for publishing tokens, modifies legitimate packages, and republishes them, creating a worm‑like propagation loop. The PyPI variant mirrors this behavior with an import‑time downloader that delivers a full‑featured credential stealer, while a built‑in dead‑man switch can trigger destructive actions if stolen tokens are revoked.

For enterprises, the incident is a stark reminder that supply‑chain hygiene must extend beyond static code reviews. Organizations should enforce signed releases, restrict token scopes, and implement zero‑trust CI/CD pipelines that isolate build environments. Runtime monitoring tools capable of detecting anomalous script execution and outbound traffic to unknown endpoints are essential. Additionally, rotating credentials regularly and employing secret‑scanning solutions can limit the blast radius of any breach. As attackers continue to weaponize open‑source ecosystems, proactive defense—combining policy, tooling, and developer education—will be the decisive factor in safeguarding modern software supply chains.