Overview
- Security firm Socket found more than 34 malicious packages and about 384 related versions published across npm, PyPI, and Crates.io in a coordinated campaign that began May 22.
- The malware is designed to harvest high-value secrets such as crypto wallet files, browser wallet data, SSH keys, AWS and GitHub tokens, and other API credentials.
- Attackers used ecosystem-specific execution paths including npm postinstall hooks, Python import-time delegation to remote JavaScript, and Rust build.rs scripts to run payloads and establish persistence.
- The operation embedded hidden instruction files like .cursorrules and CLAUDE.md to trick AI coding assistants into performing fake 'security scans' that expose secrets.
- Socket reported rapid detections (median about 5 minutes 27 seconds, fastest under a minute), said removals and mitigations were ongoing, and has not attributed the campaign to any actor.