MEDIUMSupply Chain
Global

Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies

·Source: Sonatype (Maven/npm)

Updated:

Executive Summary

<img src="https://www.sonatype.com/hubfs/blog-176-malicious-npm-packages.png" alt="Image with text describing discovery of 176 malicious packages in the npm registry, notably with technique of dependency

Analysis

The latest malware campaign uncovered by Sonatype researchers involved 176 malicious npm packages, many published with the exact same version number: 99.99.99 .

Indicators of Compromise (3)

URL (2)
https://www.sonatype.com/blog/inside-a-176-package-npm-campaign-built-to-beat-your-internal-dependencies
VirusTotalURLhaus
https://www.sonatype.com/hubfs/blog-176-malicious-npm-packages.png
VirusTotalURLhaus
Domain (1)
www.sonatype.com
VirusTotalURLhaus
Source Attribution

Originally published by Sonatype (Maven/npm) on May 28, 2026.

Related Threats

HIGHSupply Chain

Infected Red Hat npm packages expose developer credentials

Developers who pulled packages from Red Hat’s @redhat-cloud-services npm namespace over the weekend got a secret-stealing worm instead. Security researchers from several cybersecurity outlets are warning of a new supply chain attack compromising over 30 Red Hat Cloud Services-related npm packages to steal credentials, authentication tokens, and other secrets from developer environments. The campai

CSO Online
MEDIUMSupply Chain

Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets

Attackers backdoored 32 packages in Red Hat's official npm scope to steal cloud and CI secrets

Infosecurity Magazine
HIGHSupply Chain

Attack targeting OpenAI Codex users exposes AI software supply chain risks

A malicious npm package posing as a remote user interface for OpenAI Codex exfiltrated developer authentication tokens, after attackers allegedly published code to npm that was not visible in the project’s public GitHub repository. Researchers at Aikido said the package, called codexui-android, appeared to offer legitimate functionality while collecting authentication tokens and sending them to an

CSO Online