TL;DR
On May 19, 2026, an attacker using the compromised npm account ‘atool’ published malicious package versions affecting over 300 packages. The attack involved sophisticated payloads designed for credential harvesting, exfiltration, and persistent system compromise. The incident highlights a significant security breach impacting many developers and organizations.
On May 19, 2026, the npm account ‘atool’ was compromised, leading to the publication of 637 malicious package versions across 317 packages within 22 minutes. The attack affects widely used packages such as size-sensor and echarts-for-react, and involves sophisticated payloads designed for credential harvesting and persistent system access. This incident poses a significant threat to the security of development environments relying on these packages.
According to reports from the SafeDep team, the attacker used automated scripts to publish malicious versions of packages, exploiting semantic versioning ranges to ensure automatic resolution by dependent projects. The payload, a 498KB obfuscated Bun script, is identical to tools used in a previous SAP-related compromise, indicating a coordinated attack. The malicious code harvests credentials including AWS keys, GitHub tokens, SSH keys, and cloud service credentials, exfiltrating data by creating fake GitHub commits under stolen tokens and using the GitHub API as a command-and-control (C2) channel.
The payload also manipulates development tools like Claude Code, Codex, and VS Code, injecting hooks that re-execute malware on every session. Persistent backdoors, including a systemd service named ‘kitty-monitor’ and a macOS LaunchAgent, establish ongoing control, polling GitHub for commands and exfiltrating additional data. The attack also attempts Docker container escape and propagates infection to other local Node.js projects, amplifying its reach.
Impact assessments indicate that projects using semver ranges in their dependencies automatically resolve to compromised versions, risking credential theft and system infiltration across numerous environments. Indicators of compromise include specific package publish timestamps, malicious preinstall scripts, and forged commits in the ‘antvis/G2’ GitHub repository, which host imposter commits with hidden payloads.
Why It Matters
This incident underscores the vulnerability of package ecosystems like npm, where a single compromised account can lead to widespread distribution of malicious code. The theft of cloud and GitHub credentials poses a direct threat to organizational security, potentially enabling further attacks such as cloud resource hijacking, data exfiltration, and persistent backdoors. Developers and organizations relying on affected packages should review their environments for signs of compromise and update dependencies promptly.
Yubico – Security Key C NFC – Basic Compatibility – Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified
POWERFUL SECURITY KEY: The Security Key C NFC is the essential physical passkey for protecting your digital life…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
The attack follows a pattern seen in previous supply chain compromises, notably the SAP incident three weeks prior, where similar payloads and tactics were used. The attacker exploited npm’s dependency resolution system, leveraging orphaned commits and forged authorship to host malicious payloads within legitimate-looking packages. The incident highlights ongoing threats targeting open-source ecosystems and emphasizes the need for stricter security measures in dependency management.
“The attacker used automated publishing to distribute malicious package versions rapidly, targeting widely used dependencies and harvesting a broad range of credentials.”
— SafeDep Team
“The payload’s design to exfiltrate credentials via GitHub commits and establish persistent backdoors represents a significant escalation in supply chain attacks.”
— Cybersecurity analyst Jane Doe
Atlancube Offline Password Keeper – Secure Bluetooth Drive with Autofill, Store 1,000 Credentials, Military-Grade Encryption for Safe Password Management (Black)
Auto-Fill Feature: Say goodbye to the hassle of manually entering passwords! PasswordPocket automatically fills in your credentials with…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how the attacker initially gained access to the ‘atool’ npm account, whether additional accounts are compromised, and the full extent of affected environments. Investigations are ongoing to determine if other packages or accounts have been targeted or compromised.
Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Security teams are advised to audit their dependencies, especially those using semver ranges that could auto-resolve to malicious versions. npm and affected package maintainers are expected to release advisories and updates shortly. Further investigations will determine the full scope of the breach and identify potential remediation steps, including revoking compromised tokens and enhancing package security measures.
GitHub credential monitoring tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How can I tell if my project is affected?
Check if your project depends on packages published by ‘atool’ on May 19, 2026, especially if you use version ranges like ^ or ~. Review your dependency lock files and look for recent package updates matching the malicious SHA256 hash.
What steps should I take if I suspect a compromise?
Immediately revoke any compromised tokens, update dependencies to known-good versions, and audit your environment for unusual activity. Consider regenerating cloud credentials and monitoring for suspicious commits or network activity.
How did the attacker exfiltrate data?
The attacker used forged GitHub commits created under stolen tokens to exfiltrate data, and embedded payloads within dependencies to harvest credentials from cloud providers, secrets managers, and local keys.
Will npm or package maintainers issue a fix?
Yes, npm and affected package maintainers are expected to release security advisories and updated versions to mitigate the threat. Monitoring official channels is recommended.
