← All stories

Infosecurity Magazine

Npm Supply Chain Malware Attack Targets Developers With Worm-Like Propagation

2026-04-24 · Read original ↗

ATT&CK techniques detected

5 predictions

T1195.001Compromise Software Dependencies and Development Tools

100%

“standard https webhook and an icp endpoint. data can be encrypted using aes - 256 and rsa methods, though plaintext fallback is possible. self - propagation and possible repository compromise a key feature of the malware is its ability to spread. the malware extracts npm tokens, …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

98%

“npm supply chain malware attack targets developers with worm - like propagation malicious npm packages have been identified distributing malware that steals credentials and attempts to spread across developer ecosystems. according to new research from socket, the activity mirrors…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

85%

“standard https webhook and an icp endpoint. data can be encrypted using aes - 256 and rsa methods, though plaintext fallback is possible. self - propagation and possible repository compromise a key feature of the malware is its ability to spread. the malware extracts npm tokens, …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

78%

“npm supply chain malware attack targets developers with worm - like propagation malicious npm packages have been identified distributing malware that steals credentials and attempts to spread across developer ecosystems. according to new research from socket, the activity mirrors…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.005Malicious Library

34%

“standard https webhook and an icp endpoint. data can be encrypted using aes - 256 and rsa methods, though plaintext fallback is possible. self - propagation and possible repository compromise a key feature of the malware is its ability to spread. the malware extracts npm tokens, …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Malicious npm packages spread via worm-like propagation and steal developer credentials