EXECUTIVE SUMMARY:
This advisory describes a supply-chain attack that abuses public package registry behaviors to compromise developer systems and development infrastructure. The attacker publishes seemingly benign packages that reference remote HTTP-hosted dependencies which are not fetched or analyzed by many static dependency tools, causing those remote packages to be retrieved from attacker-controlled servers at install time. Because package managers run lifecycle scripts automatically, the fetched dependency can contain preinstall or install hooks that execute without user interaction, enabling arbitrary code execution in the context where the install runs. Affected systems include developer laptops, build agents, continuous integration pipelines, and any environment that performs automated package installation from the public registry. The observable business impact includes theft of authentication tokens and CI credentials, unauthorized access to source repositories and build or deployment pipelines, potential unauthorized publication of malicious updates to packages maintained by compromised accounts, and downstream contamination through dependency chains. The dynamic control the attacker holds over the remote-hosted dependency allows targeted payload selection and phased activation that can evade static inventories and common scanning approaches; this advisory sticks to factual mechanics and observed impacts without attribution or conjecture.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
This advisory describes a supply-chain attack that abuses public package registry behaviors to compromise developer systems and development infrastructure. The attacker publishes seemingly benign packages that reference remote HTTP-hosted dependencies which are not fetched or analyzed by many static dependency tools, causing those remote packages to be retrieved from attacker-controlled servers at install time. Because package managers run lifecycle scripts automatically, the fetched dependency can contain preinstall or install hooks that execute without user interaction, enabling arbitrary code execution in the context where the install runs. Affected systems include developer laptops, build agents, continuous integration pipelines, and any environment that performs automated package installation from the public registry. The observable business impact includes theft of authentication tokens and CI credentials, unauthorized access to source repositories and build or deployment pipelines, potential unauthorized publication of malicious updates to packages maintained by compromised accounts, and downstream contamination through dependency chains. The dynamic control the attacker holds over the remote-hosted dependency allows targeted payload selection and phased activation that can evade static inventories and common scanning approaches; this advisory sticks to factual mechanics and observed impacts without attribution or conjecture.[emaillocker id="1283"]
The attack chain centers on remote dynamic dependencies declared as HTTP URL specifiers, so the package manager fetches code from an attacker-controlled host instead of the registry. The retrieved package contains lifecycle scripts which the package manager runs during installation, producing automatic execution of attacker-supplied JavaScript in the installing environment. Once executing, the payload performs targeted discovery and credential harvesting by searching environment variables, local configuration files and version-control metadata , and known locations for CI/CD credentials. The malware fingerprints the host to prioritize high-value targets such as corporate networks and CI systems. Collected data is exfiltrated via redundant channels: an initial HTTP GET encoding data in a URL, followed by an HTTP POST with JSON, and a fallback WebSocket channel if those fail. Because the attacker controls the remote host, delivered code can be changed dynamically to cloak behavior or target specific victims. The campaign also leverages package name selection that takes advantage of AI-assisted suggestion behaviors, increasing the likelihood that developers install the malicious packages.
A large-scale credential compromise, unauthorized access to repositories and build systems, and the risk of downstream contamination of dependent projects. The core risk driver is the combination of remotely hosted, undersigned dependencies and automatic lifecycle execution, which creates a blind spot for static dependency inventories and many automated scanners. The attacker’s ability to serve different payloads per request enables selective targeting and researcher evasion, while the exploitation of package-name suggestion behaviors from AI-assisted tools increases accidental installs by trusting developers. These tactics illustrate an intersection of supply-chain manipulation, automated execution in package ecosystems, credential theft, and AI-assisted social engineering. The factual pattern seen here signals a notable evolution in supply-chain abuse: attackers are shifting toward dynamic, infrastructure-controlled delivery models that turn developer convenience features into high-impact intrusion vectors, raising systemic risk across projects that permit unpinned or externally hosted dependencies.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Reconnaissance | T1592 | Gather Victim Identity Information |
| Resource Development | T1583 | Acquire Infrastructure |
| Initial Access | T1195 | Supply Chain Compromise |
| Execution | T1059 | Command and Scripting Interpreter |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1552 | Unsecured Credentials |
| Discovery | T1082 | System Information Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]