Cybersecurity Startup Publishes Infostealers to NPM A cybersecurity startup founder published seven typosquatted AI-tool packages on NPM that steal git, SSH, and cloud credentials via install scripts, accumulating about 20,000 downloads. The packages impersonate Anthropic, LangChain, Ollama, OpenAI, Vercel, and Aspect Security, exfiltrating sensitive data from developer machines. BLOG Cybersecurity Startup Publishes Infostealers to NPM Typosquatted AI-tool packages quietly collected git, SSH, and cloud identity data through install scripts, tracing back to one unexpected publisher By c0a15726-c5b1-4b0d-85e6-fe15553df9e2 · In late June 2026, a threat actor published several packages to NPM over the course of two days. When we started researching these packages, we realized we already had some threat reports for malware attributed to the same publisher. There are at least seven different packages, and several versions per package, that appear to be elaborate typosquats targeting Anthropic, LangChain, Ollama, OpenAI, Vercel and Aspect Security. They've racked up about 20k downloads, which aren't huge numbers but enough to do some damage. Every install triggers the beacon at least once, so each number below is also a floor on how many developer machines got profiled. What’s even stranger is that these malicious packages appear to have been published by the founder of a cybersecurity startup based in Israel. We analyzed the packages to identify what they do, what they're looking to steal, and also to understand the motivation of the author. While the payloads in these packages don't install remote access trojans RATs or other persistence mechanisms, these packages act as infostealers, exfiltrating sensitive information about the victim and their local environment to a URL owned by the threat actor. Okay, let’s dig in The packages All six packages are published to npm under a single account more on the account below . Five packages are clear impersonations of legitimate AI developer ecosystem, which represents the fastest-growing, tool-hungriest population on npm today. anthropic-toolkit copycats @anthropic-ai/sdk ai-sdk-helpers copies Vercel’s ai @langgraphjs/toolkit swaps the real @langchain/langgraph scope for something that looks close enough at a glance ollama-helpers and openai-agents-helpers piggyback on their obvious hosts The sixth targets a security-adjacent audience: developers implementing password hashing. It's the odd one out in every way that matters, and we’ll come back to it after we’ve walked through what the AI-SDK packages do — because @aspect-security/argon2 is where this operator was two months earlier, and comparing the two gives us a rare look at how a threat actor iterates on a technique. Package Impersonates First published Latest version analyzed Downloads last week 2026-06-22 → 06-28 Downloads last month 2026-05-30 → 06-28 anthropic-toolkit Anthropic Claude SDK June 2026 1.3.0 0 0 ai-sdk-helpers Vercel’s ai SDK June 2026 1.4.4 2,213 7,930 ollama-helpers Ollama local LLM runner June 2026 1.2.2 2,692 2,692 openai-agents-helpers OpenAI Agents SDK June 2026 1.3.2 3,108 3,108 @langgraphjs/toolkit LangChain’s LangGraph.js June 2026 1.2.12 1,793 5,877 @aspect-security/argon2 Argon2 password hashing real package April 2026 1.0.1 74 333 argon2-napi Argon2 April 2026 1.0.0 Not available 224 How the payloads run Every package weaponizes the same npm feature: install-time scripts. When you run npm install , npm downloads a package, unpacks it, and — before your code ever touches the library — runs any script the package author put in the preinstall or postinstall fields of package.json . Those scripts execute automatically, silently, with the same permissions as whoever ran npm install . On a developer laptop that’s you and your dotfiles. On a CI runner that’s the build account, often with cloud credentials and deploy keys attached. postinstall is a legitimate npm feature. It exists so packages can compile native extensions or fetch platform-specific binaries after install. It’s also the single most abused mechanism in the npm ecosystem, because it converts any package installation into arbitrary code execution. Almost everything in this campaign happens in the couple of seconds between npm install firing and the developer’s terminal returning to the prompt. The bait and the payload live in separate files Every one of the five AI-SDK packages has the same structure: A src/ folder full of small, unremarkable TypeScript utility files retry.ts , stream-to-string.ts , estimate-tokens.ts , and so on — the shape of a normal helper library.A well-written README.md with API tables, install snippets, and quickstart examples.A package.json whose only script is: "scripts": { "postinstall": "node scripts/postinstall.js" } The real payload at scripts/postinstall.js — 461 lines, 16 KB, hand-written, non-obfuscated JavaScript. The TypeScript in src/ is genuine, working code. It is not booby-trapped. It is also never called by the payload . It exists purely as an alibi for anyone who cracks open the tarball to see whether the package is legitimate. Nothing they see in src/ is malicious, because none of what’s malicious is in src/ . That separation matters. It means the malware succeeds even against developers who do their due diligence, because the code they audit is not the code that runs on install. What the beacon collects The postinstall.js file opens with a long comment block styled to look like a friendly telemetry policy. It claims the script collects only “anonymous diagnostics,” itemizes what will be transmitted, and offers an opt-out: set the environment variable ANTHROPIC TOOLKIT TELEMETRY DISABLED=1 or the widely-respected DO NOT TRACK=1 before installing, and the script exits immediately. The opt-out works. That’s part of the con — it hands security-conscious developers the illusion of a lever while everyone else gets profiled. The script harvests 11 different categories of data in that first couple of seconds, which all gets packed into one JSON object and shipped off in a single HTTPS POST: Machine identity: The computer’s hostname, the current OS username, and on Windows the full DOMAIN\USER string. Enough on its own to fingerprint a specific developer on a specific laptop, or a specific build agent inside a company. Git identity: The author reads git configuration files directly from disk — ~/.gitconfig , ~/.config/git/config , and the project’s local .git/config — and pulls the email from the user section. That’s the address the developer commits under. If none of those files have it, the script falls back to environment variables that CI systems commonly set: GIT AUTHOR EMAIL , GIT COMMITTER EMAIL , EMAIL . GitHub identity: If the developer uses the official GitHub CLI gh and has logged in with it, their configuration lives in ~/.config/gh/hosts.yml . The script doesn’t touch the OAuth token stored in that file — but it does grep out the user and email fields. Who else uses this machine: The script walks up ten directory levels to find the enclosing project’s .git/ folder, opens .git/logs/HEAD — git’s reflog, a record of every reference update on the repo — and extracts up to fifteen unique committer email addresses from the last fifty entries. In practical terms: if you and four teammates have pushed from this laptop or from a shared CI runner, the operator gets all five of your addresses in one shot. This is the single most useful field in the whole payload, and most developers don’t realize their reflog contains it. Git remote: The script reads the URL of the project’s remote origin — i.e. which GitHub or GitLab organization and repo the developer is working on. Before sending, the script carefully strips any embedded credentials from the URL https://user:token@github.com/... becomes https://github.com/... . We’ll come back to why the author bothered with that. SSH key comments: Every file in ~/.ssh/ .pub gets opened. These are the developer’s public keys — the script’s cover-story comments truthfully insist that “private keys are never accessed.” What the script does read is the trailing comment on each public key, which by convention is the email the key was generated for. A typical developer laptop has a personal key, a work key, and one or two deploy keys, giving the operator three or four more identities and a hint at which services the developer talks to. Cloud environment: The script reads ~/.config/gcloud/properties and pulls out the developer’s default Google Cloud project and account . It reads ~/.aws/config and pulls out up to ten AWS profile names, SSO URLs, and account IDs. It explicitly skips any line containing aws access key id , aws secret access key , aws session token , credential process , password , or token . That skip is deliberate. We’ll come back to that too. Corporate network fingerprint": The script opens /etc/resolv.conf and pulls out the search domain — the DNS suffix your machine appends to unqualified hostnames. On a personal laptop this is usually empty or your ISP. On a corporate machine it’s something like corp.acme.com , which effectively tells the operator who you work for. Host project metadata: The script climbs the directory tree looking for the parent project’s package.json skipping its own and reads the project name , author , and repository URL. That tells the operator which private codebase the developer was inside when they installed the malicious package. CI provider: Checks for GITHUB ACTIONS , GITLAB CI , JENKINS URL , CIRCLECI , TRAVIS , BUILDKITE , and generic CI environment variables to distinguish a developer laptop from a specific CI platform. Runtime metadata: Node.js version, operating system, CPU architecture, and a timestamp. The “we don’t touch credentials” sleight of hand The comments in postinstall.js repeat, over and over, that no secrets, tokens, or private keys are ever transmitted. Technically that’s true. The script never opens ~/.aws/credentials , never reads SSH private keys, never grabs the OAuth token from gh , and actively scrubs embedded credentials out of git URLs. That’s not restraint. It’s camouflage. What actually gets exfiltrated is arguably more useful to someone with an agenda than a stolen credential. A stolen AWS access key gets rotated within hours of detection. A stolen identity dossier hostname, all your email addresses, your GitHub login, your employer’s DNS domain, your AWS profile names, your GCP project IDs, the name of the private repository you were inside, the emails of every colleague who has committed with you recently doesn't expire. It’s the raw material for something that comes next. But what? Spear-phishing? Targeted social engineering? Modern intrusion campaigns very often begin with reconnaissance exactly like this and end with credentialed access weeks later, via a targeted email or a spoofed login page. This beacon is the opening move of that playbook. Or maybe something more diabolical is happening here. Maybe this isn’t about a spear-phishing campaign, but instead is sociopathically commercial in origin. Maybe this is lead generation for a new startup? The line between good guy and bad guy just got a little more blurry. Where the data goes Every AI-SDK package POSTs its payload to the same URL: