Cybercrime

npm Infostealer Campaign Traced to Israeli Cybersecurity Startup

npm Infostealer Campaign Traced to Israeli Cybersecurity Startup

Typosquatted packages impersonating Anthropic, Vercel, LangChain, Ollama, OpenAI and Aspect Security quietly profiled developer machines on install. According to OpenSourceMalware.com, the npm account behind them belongs to the founder of a stealth-mode cybersecurity startup.

Researchers at OpenSourceMalware.com say they have identified a cluster of at least seven malicious npm packages, published over two days in late June 2026, that acted as infostealers targeting developers in the AI tooling ecosystem. The packages racked up roughly 20,000 downloads before being removed, according to the report. Every install fired the beacon at least once, so the researchers treat that figure as a floor on the number of machines profiled.

Five of the packages impersonate widely used AI developer tools: anthropic-toolkit copies Anthropic's SDK, ai-sdk-helpers copies Vercel's ai, @langgraphjs/toolkit mimics LangChain's LangGraph.js, and ollama-helpers and openai-agents-helpers piggyback on their namesakes. A sixth, @aspect-security/argon2, squats on the application-security firm Aspect Security and the real argon2 password-hashing library.

How it worked

The campaign abused npm install-time scripts, the researchers said. When a developer runs npm install, npm executes any preinstall or postinstall script with the user's own permissions, before the library's code is ever imported. On a laptop that means the developer's environment. On a continuous-integration runner it can mean build accounts with cloud credentials attached.

In the AI-tool packages, the working TypeScript shipped in the package was never actually called, according to the analysis. It existed as an alibi, while the real payload sat in a separate postinstall script. That separation, the researchers note, means the malware succeeds even against developers who audit the code, because the code they read is not the code that runs.

Identity, not credentials

The most notable finding is what the beacon collected, and what it left alone. The researchers say the script deliberately skipped passwords, API tokens and private keys, and even scrubbed embedded credentials out of git remote URLs. What it took instead was identity: the machine hostname and username, every git and SSH email on the box, up to fifteen teammate email addresses lifted from the project's git reflog, GitHub CLI identity, AWS and Google Cloud profile names and account IDs, the corporate DNS search domain, and metadata about the private project the developer was inside.

The report frames this as a considered choice rather than restraint. A stolen credential is rotated within hours of discovery, the researchers argue, while an identity dossier does not expire and reads as boring traffic in a security review. They describe it as the opening move of a reconnaissance-then-access playbook.

The data was posted to a Google Cloud Run endpoint. Because traffic to run.app terminates at Google's edge and sits on most enterprise egress allowlists, the researchers say it rides through corporate networks largely unchecked. A Google Cloud project number embedded in the hostname, 228835561205, ties the artifacts together, including an earlier, cruder version of the beacon shipped in the argon2 package two months prior.

The unusual part

Almost every npm supply-chain campaign is published from throwaway accounts. This one, the researchers say, was not. They report tracing the account to the founder of a real cybersecurity company that is still in stealth mode but has a live public site and identifiable leadership. They chose not to name the company or the individual, and said they reported the findings to npm and other parties. Both the packages and the account have been taken down.

The report is careful about motive. It rules out a simple smash-and-grab, noting the real-name publishing and the iterative refinement of the technique, and rules out clean security research, noting the live payload and absence of any public disclosure. Its most-favored theory, offered explicitly as speculation, is product seeding: a stealth security startup building a private dataset of real developer environments. The researchers stress they cannot confirm this from static analysis.



International Cyber Digest

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

Subscribe Send a tip