The JavaScript and npm ecosystem has become one of the most aggressively targeted software supply chain environments in modern cybersecurity. With billions of package installations occurring every week, even a tiny percentage of successful malicious installs can translate into thousands of compromised developer machines and production systems. Threat actors have repeatedly abused typosquatting, dependency confusion, and malicious package injection to compromise organizations at scale. However, a newly discovered npm campaign marks a major escalation in sophistication because it combines automated worm-like propagation with Tor-based command-and-control infrastructure, making traditional detection and disruption significantly harder.

In May 2026, researchers identified a malicious npm package named crypto-javascri, intentionally crafted to impersonate the highly popular crypto-js library. The difference between the legitimate and malicious package names was only a single missing character, making the attack difficult to detect during routine dependency reviews. While the package appeared legitimate on the surface and even included working cryptographic implementations such as SHA-256, AES-CBC, HMAC, PBKDF2, and Base64 modules, the real payload was hidden deeper inside the package structure.

How the Malicious Package Entered the npm Ecosystem

The attacker carefully designed the package to resemble a legitimate open-source project. The package contained functional JavaScript code copied almost directly from the real crypto-js library, helping it evade suspicion during superficial code inspection. At the same time, the actor rapidly published more than twenty package versions within hours, creating the appearance of an actively maintained project.

The versioning strategy itself was particularly dangerous. By publishing versions that aligned with the semantic versioning patterns of the legitimate package, including a deliberate jump to 3.0.1, the attacker increased the likelihood that automated dependency resolution systems would accidentally prioritize the malicious package. This type of version manipulation represents an advanced supply chain abuse technique because it exploits how package managers automatically resolve compatible dependency ranges in developer environments.

Three Independent Execution Mechanisms

What made this campaign especially dangerous was the presence of three independent execution paths designed to guarantee malware execution across multiple development environments. The first mechanism was a malicious npm preinstall hook that executed automatically before dependency installation completed. This ensured that the binary executed before developers had visibility into installed dependencies or build outputs.

The second mechanism abused Claude Code session hooks through a malicious .claude/settings.json configuration. Every time a developer opened the affected project in Claude Code, the embedded Rust binary executed silently outside the normal npm lifecycle. The third execution path leveraged Visual Studio Code tasks configured with runOn: folderOpen, causing automatic malware execution as soon as the workspace was opened. Together, these mechanisms created a highly resilient execution chain that increased infection reliability significantly.

Credential Theft and Automated Worm Propagation

Once executed, the Rust binary began harvesting credentials from developer systems. The malware specifically targeted ~/.npmrc files to steal npm authentication tokens and ~/.git-credentials to obtain GitHub personal access tokens. The malware validated the stolen credentials against live npm and GitHub APIs before proceeding further, ensuring only working tokens were used during propagation.

After validating access, the malware enumerated every npm package maintained by the victim and automatically modified those packages to include the malicious implant. The malware downloaded package tarballs, injected malicious lifecycle hooks, repackaged the projects, incremented version numbers, and republished them using the victim’s own npm credentials. Because the publish actions were signed using legitimate maintainer accounts, downstream users would see apparently trusted package updates distributed through official channels.

This self-propagating behavior transformed the attack from a simple credential stealer into a full-scale supply chain worm capable of spreading autonomously across npm maintainer ecosystems.

Tor-Based Command and Control Infrastructure

The final-stage implant revealed even more advanced capabilities. Researchers discovered the malware was built on top of Arti, the official Rust implementation of the Tor protocol. Instead of creating a custom command-and-control framework, the attackers embedded legitimate Tor functionality directly into the malware, helping it blend into legitimate developer tooling environments.

Using Tor hidden services as the malware’s communication channel dramatically increased operational resilience. Traditional security controls that rely on blocking domains, sinkholing IP addresses, or analyzing SSL certificates become far less effective when malware communicates entirely through Tor hidden services. Additionally, the malware contained cloud environment detection logic, credential theft modules targeting cryptocurrency wallets, cryptomining configuration capabilities, persistence mechanisms using user-level systemd services, and staged payload delivery chains using compressed Python droppers and Linux privilege escalation shellcode.

Persistence, Evasion, and Linux Targeting

The malware established persistence by copying itself into hidden user-level directories and creating malicious systemd user services configured with automatic restart behavior. It also timestomped file metadata to resemble legitimate system binaries, reducing forensic visibility during incident response. Interestingly, the malware specifically targeted Linux developer systems and CI/CD environments, indicating a strategic focus on high-value infrastructure where npm and GitHub credentials are commonly stored.

Another sophisticated aspect was the use of AF_ALG Linux kernel crypto sockets for payload delivery, which allowed parts of the malware communication chain to bypass traditional network monitoring tools entirely. Combined with Tor-based infrastructure and trusted package propagation, this attack demonstrated an unusually mature understanding of both developer workflows and enterprise detection blind spots.

Our Opinion on This Campaign

This incident represents one of the clearest warnings yet that software supply chain attacks are evolving beyond simple malicious packages into fully autonomous malware ecosystems. The combination of typosquatting, credential theft, automated package republishing, Tor-based command-and-control infrastructure, and CI/CD targeting reflects a major shift toward scalable developer-focused cyber warfare. Unlike traditional malware campaigns that target end users, this attack directly weaponized trust relationships within open-source software distribution systems.

What makes this campaign particularly alarming is not only its technical sophistication but also its operational efficiency. The malware removed the need for centralized attacker infrastructure during propagation by abusing legitimate maintainer credentials. That means defenders can no longer rely solely on detecting suspicious external infrastructure because the compromise itself spreads through trusted developer accounts and official package registries.

In our view, organizations using npm at scale must immediately strengthen dependency governance policies, implement mandatory package verification, enforce hardware-backed MFA for package publishing, and continuously monitor CI/CD environments for abnormal lifecycle hooks and hidden execution paths. Security teams should also begin treating developer workstations as high-value infrastructure assets rather than standard employee endpoints. This campaign demonstrates that a single compromised maintainer machine can rapidly cascade into a large-scale supply chain breach affecting thousands of downstream systems globally.