Close Menu
TechurzTechurz
    What's Hot

    IQM, Europe’s first public quantum company, admits the future of the tech is uncertain

    July 2, 2026

    Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office

    July 2, 2026

    Bending Spoons defies SaaS slump, surges 40% on first day of trading

    July 1, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • IQM, Europe’s first public quantum company, admits the future of the tech is uncertain
    • Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office
    • Bending Spoons defies SaaS slump, surges 40% on first day of trading
    • Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles
    • Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - 40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials
    Cyber Reality

    40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials

    TechurzBy TechurzSeptember 16, 2025Updated:May 10, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Sep 16, 2025Ravie LakshmananMalware / Cyber Attack

    Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.

    “The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages,” supply chain security company Socket said.

    The end goal of the campaign is to search developer machines for secrets using TruffleHog’s credential scanner and transmit them to an external server under the attacker’s control. The attack is capable of targeting both Windows and Linux systems.

    The following packages have been identified as impacted by the incident –

    • angulartics2@14.1.2
    • @ctrl/deluge@7.2.2
    • @ctrl/golang-template@1.4.3
    • @ctrl/magnet-link@4.0.4
    • @ctrl/ngx-codemirror@7.0.2
    • @ctrl/ngx-csv@6.0.2
    • @ctrl/ngx-emoji-mart@9.2.2
    • @ctrl/ngx-rightclick@4.0.2
    • @ctrl/qbittorrent@9.7.2
    • @ctrl/react-adsense@2.0.2
    • @ctrl/shared-torrent@6.3.2
    • @ctrl/tinycolor@4.1.1, @4.1.2
    • @ctrl/torrent-file@4.1.2
    • @ctrl/transmission@7.3.1
    • @ctrl/ts-base32@4.0.2
    • encounter-playground@0.0.5
    • json-rules-engine-simplified@0.2.4, 0.2.1
    • koa2-swagger-ui@5.11.2, 5.11.1
    • @nativescript-community/gesturehandler@2.0.35
    • @nativescript-community/sentry 4.6.43
    • @nativescript-community/text@1.6.13
    • @nativescript-community/ui-collectionview@6.0.6
    • @nativescript-community/ui-drawer@0.1.30
    • @nativescript-community/ui-image@4.5.6
    • @nativescript-community/ui-material-bottomsheet@7.2.72
    • @nativescript-community/ui-material-core@7.2.76
    • @nativescript-community/ui-material-core-tabs@7.2.76
    • ngx-color@10.0.2
    • ngx-toastr@19.0.2
    • ngx-trend@8.0.1
    • react-complaint-image@0.0.35
    • react-jsonschema-form-conditionals@0.3.21
    • react-jsonschema-form-extras@1.0.4
    • rxnt-authentication@0.0.6
    • rxnt-healthchecks-nestjs@1.0.5
    • rxnt-kue@1.0.7
    • swc-plugin-component-annotate@1.9.2
    • ts-gaussian@3.0.6

    The malicious JavaScript code (“bundle.js”) injected into each of the trojanized package is designed to download and run TruffleHog, a legitimate secret scanning tool, using it to scan the host for tokens and cloud credentials, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.

    “It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available,” Socket said. “It also attempts cloud metadata discovery that can leak short-lived credentials inside cloud build agents.”

    The script then abuses the developer’s credentials (i.e., the GitHub personal access tokens) to create a GitHub Actions workflow in .github/workflows, and exfiltrates the collected data to a webhook[.]site endpoint.

    Developers are advised to audit their environments and rotate npm tokens and other exposed secrets if the aforementioned packages are present with publishing credentials.

    “The workflow that it writes to repositories persists beyond the initial host,” the company noted. “Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.”

    crates.io Phishing Campaign

    The disclosure comes as the Rust Security Response Working Group is warning of phishing emails from a typosquatted domain, rustfoundation[.]dev, targeting crates.io users.

    The messages, which originate from security@rustfoundation[.]dev, warn recipients of an alleged compromise of the crates.io infrastructure and instruct them to click on an embedded link to rotate their login information so as to “ensure that the attacker cannot modify any packages published by you.”

    The rogue link, github.rustfoundation[.]dev, mimics a GitHub login page, indicating a clear attempt on the part of the attackers to capture victims’ credentials. The phishing page is currently inaccessible.

    “These emails are malicious and come from a domain name not controlled by the Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing your GitHub credentials,” the Rust Security Response WG said. “We have no evidence of a compromise of the crates.io infrastructure.”

    The Rust team also said they are taking steps to monitor any suspicious activity on crates.io, in addition to getting the phishing domain taken down.

    Attack bundle.js Chain compromised credentials npm packages steal Supply
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleUSA Today Enters Its Gen AI Era With a Chatbot
    Next Article Why Suicide Is Called A Preventable Cause Of Death For Emerging Adults
    Techurz
    • Website

    Related Posts

    Opinion

    Corgi, the buzzy Y Combinator-backed insurance tech startup, says it didn’t steal an open source product

    June 26, 2026
    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    12 Father’s Day E-Card Sites That Are Actually Good

    June 4, 202523

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.