Overview
- Koi Security reports the operation has racked up more than 86,000 downloads since August, with roughly 80 malicious packages still available at disclosure.
- The packages declare zero dependencies yet fetch code from attacker-controlled URLs during installation, triggered by lifecycle hooks such as preinstall.
- Stolen data includes npm and GitHub tokens, CI/CD secrets, cloud credentials, SSH keys, and other environment variables that could enable follow-on supply-chain compromises.
- Operators leaned on AI-driven slopsquatting by registering plausible, non-existent package names that coding assistants sometimes suggest, and some uploads impersonated well-known tools.
- Koi documented multiple exfiltration methods—HTTP GET with encoded data, HTTP POST with JSON, and WebSocket—and published indicators of compromise and a complete package list to aid remediation.