cd /news/ai-tools/npm-infostealer-campaign-traced-to-i… · home topics ai-tools article
[ARTICLE · art-55667] src=internationalcyberdigest.com ↗ pub= topic=ai-tools verified=true sentiment=↓ negative

npm Infostealer Campaign Traced to Israeli Cybersecurity Startup

Researchers at OpenSourceMalware.com identified seven malicious npm packages published in June 2026 that acted as infostealers targeting developers in the AI tooling ecosystem, racking up roughly 20,000 downloads. The packages impersonated tools from Anthropic, Vercel, LangChain, Ollama, OpenAI, and Aspect Security, collecting identity data rather than credentials. The npm account behind the campaign was traced to the founder of a stealth-mode cybersecurity startup, which was reported to npm and taken down.

read3 min views1 publishedJul 10, 2026
npm Infostealer Campaign Traced to Israeli Cybersecurity Startup
Image: Internationalcyberdigest (auto-discovered)

Typosquatted packages impersonating Anthropic, Vercel, LangChain, Ollama, OpenAI and Aspect Security quietly profiled developer machines on install. According to OpenSourceMalware.com, the npm account behind them belongs to the founder of a stealth-mode cybersecurity startup.

Researchers at OpenSourceMalware.com say they have identified a cluster of at least seven malicious npm packages, published over two days in late June 2026, that acted as infostealers targeting developers in the AI tooling ecosystem. The packages racked up roughly 20,000 downloads before being removed, according to the report. Every install fired the beacon at least once, so the researchers treat that figure as a floor on the number of machines profiled.

Five of the packages impersonate widely used AI developer tools: anthropic-toolkit

copies Anthropic's SDK, ai-sdk-helpers

copies Vercel's ai

, @langgraphjs/toolkit

mimics LangChain's LangGraph.js, and ollama-helpers

and openai-agents-helpers piggyback on their namesakes. A sixth, @aspect-security/argon2

, squats on the application-security firm Aspect Security and the real argon2

password-hashing library.

How it worked #

The campaign abused npm install-time scripts, the researchers said. When a developer runs npm install

, npm executes any preinstall

or postinstall

script with the user's own permissions, before the library's code is ever imported. On a laptop that means the developer's environment. On a continuous-integration runner it can mean build accounts with cloud credentials attached.

In the AI-tool packages, the working TypeScript shipped in the package was never actually called, according to the analysis. It existed as an alibi, while the real payload sat in a separate postinstall

script. That separation, the researchers note, means the malware succeeds even against developers who audit the code, because the code they read is not the code that runs.

Identity, not credentials #

The most notable finding is what the beacon collected, and what it left alone. The researchers say the script deliberately skipped passwords, API tokens and private keys, and even scrubbed embedded credentials out of git remote URLs. What it took instead was identity: the machine hostname and username, every git and SSH email on the box, up to fifteen teammate email addresses lifted from the project's git reflog, GitHub CLI identity, AWS and Google Cloud profile names and account IDs, the corporate DNS search domain, and metadata about the private project the developer was inside.

The report frames this as a considered choice rather than restraint. A stolen credential is rotated within hours of discovery, the researchers argue, while an identity dossier does not expire and reads as boring traffic in a security review. They describe it as the opening move of a reconnaissance-then-access playbook.

The data was posted to a Google Cloud Run endpoint. Because traffic to run.app

terminates at Google's edge and sits on most enterprise egress allowlists, the researchers say it rides through corporate networks largely unchecked. A Google Cloud project number embedded in the hostname, 228835561205

, ties the artifacts together, including an earlier, cruder version of the beacon shipped in the argon2 package two months prior.

The unusual part #

Almost every npm supply-chain campaign is published from throwaway accounts. This one, the researchers say, was not. They report tracing the account to the founder of a real cybersecurity company that is still in stealth mode but has a live public site and identifiable leadership. They chose not to name the company or the individual, and said they reported the findings to npm and other parties. Both the packages and the account have been taken down.

The report is careful about motive. It rules out a simple smash-and-grab, noting the real-name publishing and the iterative refinement of the technique, and rules out clean security research, noting the live payload and absence of any public disclosure. Its most-favored theory, offered explicitly as speculation, is product seeding: a stealth security startup building a private dataset of real developer environments. The researchers stress they cannot confirm this from static analysis.

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

── more in #ai-tools 4 stories · sorted by recency
── more on @opensourcemalware.com 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/npm-infostealer-camp…] indexed:0 read:3min 2026-07-10 ·