Security News

SlowMist Flags New npm Supply Chain Malware

Photo of Niharika DeshpandePhoto of Niharika Deshpande Niharika Deshpande Follow on X June 25, 2026
3 minutes read

Security firm SlowMist has posted on social media platform X today, June 25, 2026, and has warned developers to check dependencies and rotate all keys after a new npm malware variant compromises developer accounts and spreads through popular packages.

A new malware campaign tied to a malicious npm package push is putting developers and organizations at risk of credential theft and further supply-chain infections. Security researchers at SlowMist flagged the attack after noticing a compromised npm developer account named czirker being used to publish poisoned packages. The campaign makes use of a file that runs automatically during npm install. This allows the attackers to steal sensitive information from developer machines and online repositories.

How The Malware Spreads

Attackers published 23 affected npm packages that include a hostile build configuration file named binding.gyp. This file executes code when a developer runs npm install, so simply installing or updating a package can trigger the malware. One affected package, leo-logger, has about 3,140 weekly downloads, which increases the chance of accidental infection.

Researchers also found 408 GitHub repositories already infected and containing stolen credentials at the time the alert was posted. Those repositories can act as stepping stones to cloud accounts or continuous integration systems, because leaked tokens and keys usually grant wide access.

What The Malware Can Do

Security teams say the campaign is capable of multiple damaging actions. The malware can:

  1. Steal GitHub tokens and use them to push malicious changes or access private code.
  2. Steal npm tokens to publish further malicious packages and expand the supply-chain attack.
  3. Search for exfiltrate cloud credentials for AWS, GCP and Azure.
  4. Harvest local environment data and any secrets stored on developer machines.
  5. Abuse compromised GitHub Actions or workflows to run attacks in CI/CD pipelines.
  6. Propagate further into the npm ecosystem by publishing more poisoned packages.

Why This Matters

Many development teams rely on open source libraries pulled from npm. A single infected package can affect many projects and developers, especially when packages have hundreds or thousands of weekly downloads. Stolen tokens and keys can give attackers direct access to source code, CI pipelines, servers, and cloud resources, enabling data theft, ransomware, or further backdoor installations.

What Security Teams Should Do Now

SlowMist and other researchers advise immediate and practical steps to limit damage and prevent spread. These steps include:

  1. Inspect lockflies and package histories for any of the 23 affected package names or versions. Lockflies record exact dependency versions, so they help find where an infected package was used.
  2. Remove or downgrade any projects that depend on the compromised versions. If an alternative safe version exists, move to it; otherwise remove the package until a clean release is available.
  3. Rotate all potentially exposed secrets, including np, GitHub, cloud provider, and CI/CD keys. Assume any credential present in affected repositories is compromised.
  4. Enforce two-factor authentication on GitHub and other developer accounts to reduce token misuse.
  5. Scan repositories and local machines for suspicious files, stolen credentials, or unexpected workflow changes. Treat any repositories that stored credentials as breached until proven otherwise.
  6. Audit GitHub Actions and CI workflows for unauthorized changes or new secrets being used during builds.
  7. Share findings with downstream teams and require developers to check their local environments for signs of infection.

Who Discovered And Where to Follow Updates

SlowMist credited OX Security for in-depth analysis of the campaign. Researchers continue to monitor the situation and recommend following a live GitHub search query that collects related findings. Security teams should monitor official advisories and security feeds for updates.

Final Thoughts

This incident shows that attackers can quickly take advantage of package managers so that they can reach a huge number of audiences. Developers and security teams should treat open source supply chains as critical infrastructure, use strict credential hygiene, and respond fast when a compromise is reported.

Photo of Niharika DeshpandePhoto of Niharika Deshpande Niharika Deshpande Follow on X June 25, 2026
3 minutes read
Photo of Niharika DeshpandePhoto of Niharika Deshpande

Niharika Deshpande

Niharika is an editor at CapitalBayNews with over four years of experience in crypto and blockchain journalism. She easily turns complex blockchain topics into simple and easy-to-read content. She covers crypto market trends, DeFi, institutional adoption, blockchain innovation, and new digital asset projects. Her work focuses on breaking news, market insights, and major developments in the crypto industry. She follows the fast-changing Web3 space closely and writes clear, research-backed articles to help readers stay informed.
Back to top button