NPM Typosquatting Nightmare: How a Cybersecurity Startup Founder Stole Developer Identities Through Fake AI Packages + Video

Listen to this Post

Featured Image

Introduction

A sophisticated supply-chain attack targeting the AI developer ecosystem has been uncovered, revealing that a stealth-mode cybersecurity startup founder published typosquatted npm packages to harvest sensitive developer identity data. Between April and June 2026, seven malicious packages impersonating Anthropic, LangChain, Ollama, OpenAI, Vercel, and Aspect Security quietly compromised thousands of developer machines through npm install-time scripts, exfiltrating 11 categories of identity data including Git emails, SSH key comments, cloud configurations, and corporate network fingerprints. What makes this campaign particularly alarming is not just the technical sophistication—it’s the fact that the operator behind these packages is the founder of a cybersecurity company, raising troubling questions about the ethics of product development in the security industry.

Learning Objectives

  • Understand how npm install-time scripts (preinstall/postinstall) can be weaponized to execute arbitrary code without developer awareness
  • Identify the 11 categories of sensitive identity data harvested by the infostealer and the exfiltration techniques used
  • Implement practical detection and mitigation strategies including npm configuration hardening, network monitoring, and package verification

You Should Know

  1. Understanding the Attack Chain: From npm Install to Full Identity Exfiltration

The attack leverages a legitimate npm feature: install-time scripts defined in package.json. When a developer runs npm install, npm downloads the package, unpacks it, and executes any script in the `preinstall` or `postinstall` fields before the developer’s code ever touches the library. These scripts run automatically with the same permissions as the user executing the install—on a developer laptop, that’s full access to dotfiles, SSH keys, and cloud credentials; on a CI runner, it’s the build account with deploy keys and cloud access.

Step-by-step breakdown of the attack:

  1. Package impersonation: The attacker publishes typosquatted packages with names like `anthropic-toolkit` (impersonating @anthropic-ai/sdk), `ai-sdk-helpers` (impersonating Vercel’s ai), and `@langgraphjs/toolkit` (impersonating @langchain/langgraph).

  2. Alibi code in src/: Each package contains legitimate-looking TypeScript utility files (retry.ts, stream-to-string.ts, etc.) that are never actually executed—they exist purely to pass visual inspection.

  3. Malicious payload in scripts/postinstall.js: The real payload—461 lines, 16 KB of hand-written JavaScript—executes during installation.

  4. Data harvesting: The script collects 11 categories of data in seconds:

– Machine identity: hostname, OS username, Windows DOMAIN\USER
– Git identity: reads ~/.gitconfig, ~/.config/git/config, and project .git/config
– GitHub identity: extracts user from ~/.config/gh/hosts.yml
– Reflog scraping: walks up 10 directory levels, opens .git/logs/HEAD, extracts up to 15 unique committer email addresses
– Git remote: reads project’s remote origin URL
– SSH key comments: reads every file in ~/.ssh/.pub, extracting email comments
– Cloud environment: reads ~/.config/gcloud/properties and ~/.aws/config
– Corporate network fingerprint: reads /etc/resolv.conf for search domain
– Host project metadata: climbs directory tree reading package.json
– CI provider: checks for GITHUB_ACTIONS, GITLAB_CI, JENKINS_URL, etc.
– Runtime metadata: Node.js version, OS, CPU architecture, timestamp

  1. Exfiltration: The script POSTs all collected data as a single JSON payload to a Google Cloud Run URL (npm-package-logger-228835561205.europe-west1.run.app). The `.run.app` domain is TLS-encrypted and on most enterprise allowlists, making it an ideal exfiltration channel.

  2. Silent failure: The script uses a 5-second timeout and silently swallows all errors—even if exfiltration fails, the install succeeds and the developer never notices.

2. Detecting Typosquatted Packages: A Practical Guide

Typosquatting relies on developers making small mistakes when typing package names. Here’s how to protect your team:

Manual verification steps:

 Before installing any package, verify its authenticity
npm view <package-1ame> versions --json  Check version history
npm view <package-1ame> maintainers  Verify maintainer identity
npm view <package-1ame> repository.url  Check if repo matches official source
npm view <package-1ame> homepage  Verify official website

Version backfilling detection: Attackers often publish many versions in a single day to make packages appear mature. Check the actual first-published timestamp:

 Get the exact publish time of the first version
npm view <package-1ame> time --json | jq '.[] | select(. != "modified" and . != "created") | .' | sort

Automated detection with npm audit and tools:

 Use npm audit to check for known vulnerabilities
npm audit --json | jq '.advisories | keys'

Use Snyk (install first: npm install -g snyk)
snyk test <package-1ame>

Use Socket.dev CLI (install: npm install -g @socketsecurity/cli)
socket scan <package-1ame>

Windows PowerShell verification:

 Check package details
npm view <package-1ame> versions --json | ConvertFrom-Json | Measure-Object
npm view <package-1ame> maintainers
npm view <package-1ame> repository.url

CI/CD pipeline integration: Add these checks to your `.github/workflows/` or CI scripts:

 .github/workflows/npm-audit.yml
name: NPM Security Scan
on: [bash]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: npm install -g @socketsecurity/cli
- run: socket scan --all
- run: npm audit --audit-level=high

3. Blocking Install-Time Script Execution: The Nuclear Option

The most effective defense against this class of attack is to disable install-time scripts entirely.

Global disable (npm):

 Disable scripts globally
npm config set ignore-scripts true

Verify setting
npm config get ignore-scripts

Project-level disable (.npmrc):

 Place in .npmrc at project root
ignore-scripts=true

pnpm equivalent (.npmrc):

 For pnpm users
ignore-scripts=true

Yarn equivalent:

 Yarn 2+ (Berry) - add to .yarnrc.yml
enableScripts: false

Windows (PowerShell):

 Set npm config globally
npm config set ignore-scripts true

Or set environment variable for current session
$env:NPM_CONFIG_IGNORE_SCRIPTS = "true"

Important caveat: Disabling scripts breaks packages that legitimately need to compile native extensions (e.g., bcrypt, sharp, node-gyp). Consider using a per-package allowlist or running security-sensitive installs in isolated environments.

Selective allowlist approach:

 Install with scripts enabled for trusted packages only
npm install <trusted-package> --ignore-scripts=false

Or use a tool like npm-whitelist-scripts
npx npm-whitelist-scripts <package-1ame>

4. Network Monitoring: Detecting Exfiltration to Serverless PaaS

The attackers in this campaign used Google Cloud Run (.run.app) as their exfiltration endpoint. This traffic is often overlooked because it terminates TLS at Google’s edge and uses domains on most enterprise allowlists.

Linux – Monitor outbound connections to Cloud Run domains:

 Monitor all outbound connections to .run.app domains
sudo tcpdump -i any -1 'dst host .run.app' -v

Log all HTTPS connections to Cloud Run
sudo tcpdump -i any -1 'tcp port 443 and (dst host .run.app)' -w cloudrun_traffic.pcap

Analyze with tshark
tshark -r cloudrun_traffic.pcap -Y 'http.host contains "run.app"' -T fields -e http.host -e ip.dst

Windows – Monitor with PowerShell and netsh:

 Start packet capture for outbound HTTPS
netsh trace start capture=yes provider=Microsoft-Windows-Kernel-1etwork tracefile=C:\capture.etl

Filter for Cloud Run domains (requires additional tools)
 Use Sysmon or Windows Defender Firewall with advanced security logging

Firewall blocking (Linux – iptables):

 Block all outbound traffic to .run.app domains
sudo iptables -A OUTPUT -d .run.app -j DROP

Or use a more specific approach with domain blocking via dnsmasq
echo "address=/.run.app/0.0.0.0" | sudo tee -a /etc/dnsmasq.conf
sudo systemctl restart dnsmasq

Enterprise egress filtering: Consider implementing egress controls that inspect or restrict outbound traffic to serverless PaaS hostnames. Use a proxy or CASB (Cloud Access Security Broker) to inspect TLS-encrypted traffic.

  1. The Evolution of a Threat Actor: From Crude to Polished

The campaign shows a clear evolution from a crude April 2026 test (@aspect-security/argon2) to a sophisticated June 2026 operation.

April version (`@aspect-security/argon2`):

  • Used `preinstall` hook (fires before npm does anything else)
  • 601-byte script collecting only hostname and git email
  • Shelled out to `git config user.email` (easier to log)
  • No error handling—network errors would crash the install
  • No opt-out mechanism
  • No cover-story comments

June version (AI-SDK packages):

  • Used `postinstall` hook (fires after unpacking)
  • 16 KB script collecting full identity graph
  • Read git config files directly (no shell subprocess)
  • Silent error handling—guaranteed to complete
  • Named opt-out via environment variables
  • Elaborate “anonymous telemetry” cover story

How to detect evolution patterns:

 Check version history for sudden size changes
npm view <package-1ame> dist --json | jq '. | {version: .version, size: .size}'

Compare package contents across versions
npm pack <package-1ame>@<version>
tar -tzf <package-1ame>-<version>.tgz | grep -E "(preinstall|postinstall)"
  1. The Argon2 Case Study: A Masterclass in Social Engineering

The `@aspect-security/argon2` package demonstrates sophisticated social engineering that goes far beyond simple typosquatting:

The layered con:

  1. Scope squatting: `@aspect-security` impersonates Aspect Security, a well-known application-security consulting firm
  2. Package name squatting: `argon2` impersonates the real, widely-used npm package for Argon2 password hashing
  3. Maintainer impersonation: README claims collaboration with @ranisalt, the real argon2 maintainer
  4. Fabricated evidence: Claims “54.2% of common Node.js environments fail to build” with a fake Hugging Face dataset citation
  5. SEO bait: Troubleshooting section listing exact error messages from real argon2 build failures

Detection script for Argon2 impersonation:

!/bin/bash
 check-argon2.sh - Verify argon2 package authenticity

PACKAGE="@aspect-security/argon2"

echo "Checking $PACKAGE for impersonation indicators..."

Check if package exists
if npm view $PACKAGE 2>/dev/null; then
echo "⚠️ Package exists! Checking for red flags..."

Check maintainer claims
README=$(npm view $PACKAGE readme)
if echo "$README" | grep -q "ranisalt"; then
echo "🔴 RED FLAG: Claims collaboration with @ranisalt (verify independently)"
fi

Check for fake statistics
if echo "$README" | grep -q "54.2%"; then
echo "🔴 RED FLAG: Contains fabricated statistic"
fi

Check for fake citation
if echo "$README" | grep -q "huggingface.co/datasets/security-benchmarks"; then
echo "🔴 RED FLAG: References non-existent dataset"
fi
else
echo "✅ Package not found (good) or has been removed"
fi
  1. Incident Response: What to Do If You’ve Been Compromised

If your team installed any of the malicious packages between April and June 2026, take immediate action:

Step 1: Identify affected machines

 Check npm global and local installations
npm list -g --depth=0 | grep -E "(anthropic-toolkit|ai-sdk-helpers|ollama-helpers|openai-agents-helpers|@langgraphjs/toolkit|@aspect-security/argon2)"

Check package-lock.json and yarn.lock
grep -E "(anthropic-toolkit|ai-sdk-helpers|ollama-helpers|openai-agents-helpers|@langgraphjs/toolkit|@aspect-security/argon2)" package-lock.json yarn.lock 2>/dev/null

Step 2: Rotate all credentials

The attackers collected identity fingerprints including:

  • Git emails and commit history
  • SSH key comments (which often contain email addresses)
  • AWS profile names and account IDs
  • GCP project IDs and account emails
  • Corporate DNS domains
  • Private repository names

While the script did not steal actual credentials (AWS keys, SSH private keys, OAuth tokens), the collected identity data is sufficient for targeted spear-phishing and social engineering.

Step 3: Rotate the following immediately:

  • Git personal access tokens
  • GitHub/GitLab SSH keys (generate new ones and update all services)
  • Cloud IAM credentials (AWS access keys, GCP service account keys)
  • Any credentials exposed in git reflog or environment variables

Step 4: Monitor for follow-on attacks

 Check for unusual outbound connections
sudo netstat -tnap | grep ESTABLISHED | grep -vE "(127.0.0.1|::1)"

Check for new SSH keys added
ls -la ~/.ssh/

Check cloud audit logs for unusual access
 AWS: aws cloudtrail lookup-events --max-items 100
 GCP: gcloud logging read "protoPayload.methodName="

Step 5: Report the incident

Report the compromise to:

  • npm Security: [email protected]
  • Your organization’s security team
  • Relevant cloud providers (AWS, GCP, etc.)

What Undercode Say

  • Install-time scripts are the most overlooked attack vector in the npm ecosystem — Runtime code review, dependency scanning, and SBOM tooling are all blind to this class of attack because the malicious code never runs when the package is used; it only runs during installation. The 461-line postinstall script executes in the couple of seconds between `npm install` firing and the terminal returning to the prompt, long before any runtime security tool would inspect the package.

  • “Recon-only” payloads are not benign—they’re arguably more dangerous than credential theft — While the attacker technically avoided stealing credentials (no private keys, no AWS access keys, no OAuth tokens), the exfiltrated identity data (hostname, all email addresses, GitHub login, employer DNS domain, AWS profile names, GCP project IDs, private repository names, and colleague emails) doesn’t expire. This data is the raw material for sophisticated follow-on attacks including spear-phishing, targeted social engineering, and credential theft that occurs weeks later. The author’s decision to skip credential files was not restraint—it was a calculated choice to make the traffic look boring in security reviews while building a permanent identity dossier.

Analysis:

The most disturbing aspect of this campaign is the identity of the operator—the founder of a stealth-mode cybersecurity startup. This isn’t an opportunistic data thief using throwaway accounts. The technical sophistication (polished 16 KB beacon with cover-story comments, version backfilling to defeat reputation tools, layered social engineering with fabricated statistics and impersonated maintainers), the iterative evolution from crude April test to polished June campaign, and the choice to publish under a real identity all point to a calculated, commercial motivation: product seeding. A stealth startup needs a dataset to build detection models or attribution intelligence, and tens of thousands of real developer profiles (hostnames, git emails, cloud configs, employer DNS domains) is an enormous competitive advantage. The line between security research and criminal activity has become dangerously blurred—and the industry is still not equipped to distinguish between legitimate telemetry and sophisticated data harvesting.

Prediction

-1: The npm ecosystem will see a surge in similar campaigns as other threat actors adopt the techniques demonstrated here—version backfilling, serverless PaaS exfiltration, and “recon-only” identity harvesting. The AI developer community, with its fast-moving, high-trust culture, will remain the primary target.

-1: Traditional security tools (SAST, DAST, dependency scanners) will continue to miss install-time attacks because they focus on runtime code execution. A new category of “install-time security” tooling will need to emerge, but adoption will lag behind attacker innovation.

+1: The public disclosure of this campaign has already resulted in the removal of all malicious packages and the npm account. This serves as a deterrent and raises awareness among developers about the risks of install-time scripts.

-1: Serverless PaaS platforms (Cloud Run, AWS Lambda, Azure Functions) will become the exfiltration channel of choice for supply-chain attackers because their domains are on enterprise allowlists and their traffic is TLS-encrypted end-to-end. Enterprise security teams will need to implement egress filtering specifically targeting these platforms.

-1: The ethical boundary between security research and criminal activity will become increasingly difficult to police. The “product seeding” justification—that collecting real developer data is necessary for building detection products—will be used by others to rationalize similar behavior. The industry needs clear guidelines on what constitutes acceptable research versus unauthorized data collection.

+1: The campaign’s reliance on `postinstall` scripts has a simple mitigation: npm config set ignore-scripts true. As awareness grows, more organizations will adopt this configuration, significantly reducing the attack surface for this class of threat.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: We Uncovered – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky