Supply-Chain Attack Compendium

The mistralai Python package version 2.4.6 contained an import-time Linux backdoor in src/mistralai/client/__init__.py. The added code downloaded https://83.142.209.194/transformers.pyz with curl -k, saved it to /tmp/transformers.pyz, and executed it as a background Python process when users imported mistralai, guarded only by the MISTRAL_INIT environment variable and silently swallowing errors. JFrog later reported that the remote payload changed from TeamPCP attribution text into a Python credential stealer that harvested local, cloud, Kubernetes, Vault, password-manager, and developer-tooling secrets, exfiltrated encrypted data, and could install pgsql-monitor persistence with destructive second-stage behavior.

TeamPCP's Mini Shai-Hulud worm compromised the TanStack Router release pipeline by chaining a pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning, and runtime extraction of a GitHub Actions OIDC trusted-publisher token from runner memory. On 2026-05-11 between 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* npm packages were published with a malicious optional dependency on an orphan git commit. The install-time payload harvested cloud, Kubernetes, Vault, GitHub, npm, and SSH credentials, exfiltrated over the Session/Oxen network, and attempted self-propagation by republishing packages maintained by victims.

Shai-Hulud: Here We Go Again was a May 2026 TeamPCP campaign affecting more than 170 npm packages and 2 PyPI packages with a combined package download volume above 200 million per week. This record tracks the broader npm campaign and the guardrails-ai PyPI package, beyond the separately tracked TanStack Router npm and mistralai PyPI incidents. The npm payload used preinstall loaders, Bun, GitHub Actions OIDC and runner-memory secret extraction, cloud, Kubernetes, Vault, local, and password-manager credential harvesting, GitHub and Session/Oxen exfiltration, npm self-propagation, and a destructive GitHub-token revocation monitor.

The Mini Shai-Hulud campaign compromised the lightning PyPI package, with malicious versions 2.6.2 and 2.6.3 bundling a hidden _runtime directory. On import, the package started a daemon thread that downloaded the Bun JavaScript runtime from GitHub and executed an 11 MB obfuscated _runtime/router_runtime.js payload. StepSecurity reported credential theft, environment and cloud secret harvesting, GitHub API exfiltration through victim credentials, and npm tarball poisoning on the developer machine.

The Mini Shai-Hulud campaign expanded into the PHP ecosystem by compromising the official intercom/intercom-php package on Packagist. Attackers compromised a maintainer account to overwrite existing legitimate versions. The malicious code was converted into a Composer plugin to execute automatically during installation, downloading the Bun runtime to execute an obfuscated payload that exfiltrated GitHub tokens, SSH keys, cloud credentials, and .env files to zero.masscan.cloud.

The Mini Shai-Hulud/TeamPCP campaign compromised the official intercom-client package on npm. The malicious 7.0.4 release was published on April 30, 2026 at 14:41 UTC via a hijacked GitHub Actions OIDC publishing pipeline and introduced a preinstall hook, setup.mjs loader, and 11.7 MB obfuscated router_runtime.js payload. The payload used Bun v1.3.13, daemonized itself, harvested GitHub, npm, AWS, GCP, Azure, private-key, and generic API credentials, exfiltrated via GitHub private repositories under victim accounts, and attempted worm-style propagation through stolen npm publishing tokens.

Mini Shai-Hulud compromised SAP ecosystem npm packages mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service through two release paths: a stolen static npm token for mbt and an abused GitHub Actions OIDC publishing flow for cap-js/cds-dbs. The malicious releases ran a Bun-based credential stealer, exfiltrated encrypted secrets through attacker-created GitHub repositories, added IDE persistence through Claude Code and VS Code hooks, injected repository-secret stealing workflows, and attempted propagation through stolen npm tokens.

An attacker exploited a GitHub Actions script-injection flaw in elementary-data's issue-update workflow to forge release state, tag v0.23.3 at an orphan commit, and dispatch the legitimate release pipeline. That pipeline published elementary-data==0.23.3 to PyPI and pushed compromised GHCR images tagged 0.23.3 and latest. The artifacts used a Python .pth file to execute at interpreter startup, unpack a multi-stage credential stealer, collect local, cloud, container, Kubernetes, package-manager, wallet, and system secrets, and exfiltrate them as trin.tar.gz.

TeamPCP compromised three consecutive xinference PyPI releases, 2.6.0 through 2.6.2, by adding an import-time two-stage Python credential stealer to xinference/__init__.py. The attacker iterated the trigger across releases but kept the same core behavior: collect SSH keys, environment variables, cloud and Kubernetes credentials, package-manager tokens, CI/CD files, shell history, and wallet material, then archive and exfiltrate the results to attacker infrastructure. The incident is notable for its rapid multi-version refinement and for sharing TeamPCP markers and injection patterns with the LiteLLM and Telnyx compromises.

The official Bitwarden CLI npm package (@bitwarden/cli) version 2026.4.0 was compromised during the broader Checkmarx/TeamPCP supply-chain campaign after attackers abused a GitHub Actions path in Bitwarden's CI/CD pipeline. The malicious package included a bw1.js payload that shared infrastructure with the Checkmarx campaign, harvested GitHub, npm, cloud, SSH, environment, Claude, and MCP credentials, exfiltrated to audit.checkmarx.cx and GitHub commit-based dead drops, and attempted npm/GitHub supply-chain propagation with injected install hooks and workflow files.

A registry-only malicious release of @velora-dex/sdk 9.4.1 was published to npm with no matching source commit. Instead of using an install hook, the attacker prepended code to the package entry point so importing the SDK downloaded and installed a macOS backdoor with launchctl persistence. The change was limited to package metadata and dist/index.js compared with the clean 9.4.0 tarball, making --ignore-scripts ineffective because execution moved from install time to first runtime import.

A direct npm account takeover of the lead maintainer bypassed OIDC trusted publishing and turned a routine axios release into an installation-time trap. Version 1.14.1 carried a malicious postinstall hook that pulled a multi-platform RAT through node_modules/plain-crypto-js, letting dependency resolution become the quiet delivery rail for remote access.

TeamPCP compromised Telnyx Python SDK releases 4.87.1 and 4.87.2 by adding import-time malware to the PyPI artifacts. The payload hid a second-stage credential stealer inside WAV audio data, collected developer, cloud, package-manager, and wallet secrets, encrypted them with the same TeamPCP RSA/AES scheme seen in LiteLLM, and exfiltrated them as tpcp.tar.gz. Version 4.87.2 also repaired a Windows branch intended to decode and persist a PE backdoor. The case stands out for using audio steganography inside a legitimate communications SDK package.

A dormant IoliteLabs Visual Studio Marketplace publisher account was used to update three Solidity extensions to version 0.1.8 after nearly eight years of inactivity, with no matching source repository commits. The VSIX packages replaced the original language-server behavior with startup activation and hid the backdoor in a bundled copy of the pako dependency. The payload delivered Windows and macOS backdoors with persistence and exfiltration behavior; the Linux extension loaded the tampered dependency but did not contain an active Linux execution branch. The incident shows how dormant publisher accounts and vendored dependencies can hide malicious extension code away from the declared entry point.

TeamPCP compromised LiteLLM PyPI releases 1.82.7 and 1.82.8 with a credential-stealing payload that evolved from a proxy-module trigger to a wheel-level .pth file executed by Python at interpreter startup. The malware harvested environment, SSH, cloud, Kubernetes, package-manager, CI/CD, and wallet secrets, encrypted the archive with a TeamPCP RSA/AES scheme, and exfiltrated it as tpcp.tar.gz. It also attempted user-level persistence and, where Kubernetes permissions allowed, deployed privileged pods to backdoor cluster nodes. The incident is historically important as a stealthy Python-packaging abuse case where the second release executed even when LiteLLM itself was never imported.

TeamPCP's CanisterWorm campaign backdoored @opengov/form-builder 0.12.3 after npm publishing credentials were stolen through the second Trivy compromise. The malicious release added a postinstall payload that installed a persistent Python implant and polled an Internet Computer canister C2. The worm harvested npm publishing tokens, enumerated packages the victim could publish, bumped patch versions, injected the same payload, and republished with the latest tag. Follow-on capability included Kubernetes DaemonSet deployment that varied by geolocation and cluster context.

After incomplete containment of the February Trivy takeover, compromised credentials were used to publish malicious Trivy v0.69.4 artifacts, force-push most trivy-action version tags, and replace setup-trivy tags with credential-stealing commits. The payloads read GitHub Actions runner memory and process environments, collected developer and cloud secrets, encrypted the data, and exfiltrated to the typosquatted domain scan.aquasecurtiy.org or fallback public tpcp-docs repositories. Compromised Docker Hub images followed on March 22. Aqua deleted affected tags, released fixed action versions, and published GHSA-69fq-xp46-6x23 / CVE-2026-33634.

An attacker controlling the astroonauta npm account published malicious react-native-international-phone-number releases without matching GitHub releases, tags, or workflow runs. The first wave used a direct preinstall hook; later releases hid the same malware behind a dependency chain through @agnoliaarisian7180/string-argv and @usebioerhold8733/s-format. The final chain executed a detached JavaScript loader using a Solana wallet dead-drop C2, RPC fallbacks, geofiltering, encrypted payload delivery, and a local rate-limit file. The incident is notable for the attacker returning after disclosure and switching from obvious install hooks to transitive delivery.

The astroonauta npm account takeover also compromised react-native-country-select, a direct dependency of react-native-international-phone-number. The first malicious release used a visible preinstall hook; after deprecation, the attacker retained access and republished through a transitive dependency chain that resolved to @usebioerhold8733/s-format. That chain executed the same detached JavaScript malware and Solana blockchain C2 used in the first wave. During the incident, @latest resolved to compromised 0.4.2, exposing users of both packages.

A registry-only malicious release of bittensor-wallet 4.0.2 was uploaded to PyPI and later yanked. The backdoor was compiled into the Rust wallet code so wallet decryption paths exposed coldkey and hotkey material directly to the payload. It used sandbox checks, encrypted stolen key data with an attacker public key, deduplicated repeated unlocks, and exfiltrated through HTTPS, DNS lookups, and DNS tunneling. The release also removed bundled artifact-attestation workflow steps, making it harder to compare the PyPI artifact against the legitimate source release.

The Glassworm threat actor published malicious versions of @iflow-mcp/watercrawl-watercrawl-mcp with payloads hidden by invisible Unicode characters. The package kept the shape of a normal MCP dependency while concealed code executed credential stealers, letting source text itself become camouflage for supply-chain intrusion.

The Glassworm threat actor published a malicious version of @aifabrix/miso-client using invisible Unicode malware. The payload used PUA (Private Use Area) Unicode characters to hide the malicious script, which executed a second-stage payload (often delivered via Solana) to steal tokens and exfiltrate secrets.

ForceMemo was a GitHub account-takeover campaign that force-pushed similar malware into hundreds of Python repositories across Django apps, ML research, Streamlit dashboards, Flask APIs, and projects installed directly from GitHub. The attacker preserved legitimate commit authorship and messages while appending an obfuscated Python loader to common entry points. The malware used the shared marker lzcdrtfxyqiplpd, avoided Russian/CIS systems, and pulled encrypted follow-on instructions through a Solana memo wallet. This grouped record captures the campaign because the affected set was a moving GitHub code-search population rather than a stable package list.

An attacker exploited a Pwn Request flaw in kubernetes-el's GitHub Actions workflow: pull_request_target ran with target-repository privileges and then checked out attacker-controlled PR code. The payload stole repository tokens and secrets, then used the token to push directly to master as github-actions[bot], deface the README, replace kubernetes.el with a destructive command that would run when loaded, and delete most repository files. MELPA removed the package and Emacsmirror updates were blocked, limiting downstream distribution.

The Glassworm threat actor compromised the pedronauck/reworm GitHub repository and blended malicious code into realistic-looking commits. Invisible PUA Unicode characters hid the payload from casual review, making the repository appear ordinary while its source carried credential-stealing logic beneath the text.

The hackerbot-claw account exploited a pull_request_target workflow in aquasecurity/trivy to run untrusted fork code with repository privileges. The stolen token was used to push directly to the repository, vandalize the README, temporarily privatize and rename the project, replace it with an empty repository, delete release assets from v0.27.0 through v0.69.1, and publish a suspicious Trivy VS Code extension artifact. Aqua restored the repository, revoked publishing tokens, removed the vulnerable workflow, and republished v0.69.2 while rebuilding release assets.

ts-bign 1.2.8 was one of the malicious npm packages embedded in a fake Polymarket trading bot hosted under the hijacked dev-protocol GitHub organization. The package posed as numeric-library plumbing but pulled in levex-refa, a transitive file stealer that searched for environment files, Solana keypairs, and trading-bot configuration, then exfiltrated them with local user and IP metadata. The case is historically useful because the scam bot still called real Polymarket APIs, making the theft path look like a functional trading tool.

big-nunber 5.0.2 was embedded in the same fake Polymarket trading bot hosted under the hijacked dev-protocol GitHub organization. It typosquatted bignumber.js but depended on lint-builder, which ran during npm install and at runtime to fetch instructions, steal files, fingerprint the host, and set up SSH access by taking ownership of ~/.ssh and opening port 22. The package combined credential theft with remote-access preparation while the bot continued to appear operational.

An unauthorized party used an exposed npm publish token to publish cline@2.3.0. The release was byte-identical to cline@2.2.3 except for a postinstall script that globally installed the unrelated openclaw package. Cline reported no malicious code delivery, user-data access, source-code compromise, or VS Code/OpenVSX/JetBrains extension compromise. The exposed token traced back to a vulnerable AI-powered issue-triage workflow that had been removed but whose npm credential was not revoked. Maintainers deprecated 2.3.0, published clean 2.4.0, and revoked the token.

The Sha1-Hulud "Second Coming" npm worm compromised Zapier packages across the @zapier scope and unscoped zapier-platform packages. Affected releases used a preinstall hook to invoke Bun and run an obfuscated credential stealer that harvested GitHub, npm, cloud, and local environment secrets, exfiltrated them through public GitHub repositories, attempted npm self-propagation, and registered a self-hosted GitHub Actions runner for persistence. The incident affected core Zapier platform and SDK packages.

Sha1-Hulud "Second Coming" was a broad npm worm wave that compromised hundreds of packages beyond the separately tracked Zapier and ENS ecosystems, including major scoped groups such as @asyncapi, @posthog, @postman, @voiceflow, and @browserbasehq. The malicious releases invoked Bun from preinstall hooks, harvested GitHub, npm, cloud, local, and TruffleHog-discovered secrets, exfiltrated through public GitHub repos labeled "Sha1-Hulud: The Second Coming", attempted npm self-propagation, installed a self-hosted GitHub Actions runner, and could shred writable home files on non-CI Linux hosts. StepSecurity reported more than 21,000 public exfiltration repositories early in the incident.

The Sha1-Hulud "Second Coming" npm worm compromised many Ethereum Name Service packages, including @ensdomains/ensjs, @ensdomains/ens-contracts, @ensdomains/ens-validation, ethereum-ens, and supporting ENS libraries. Affected releases invoked Bun from a preinstall hook and ran an obfuscated payload that harvested GitHub, npm, cloud, and local secrets, exfiltrated them through public GitHub repositories, attempted npm propagation, registered a self-hosted GitHub Actions runner, and included destructive behavior on non-CI Linux hosts.

The Glassworm threat actor published a malicious version of the quartz.quartz-markdown-editor VS Code extension. Its payload was concealed with invisible PUA Unicode characters, hiding credential-theft logic in plain source view while the extension worked as a quiet collector of authentication tokens and secrets.

An attacker targeted a shared repository (angulartics2) where the maintainer had admin rights. They pushed a malicious branch (Shai-Hulud) containing a GitHub Actions workflow that immediately ran, exfiltrating a static npm token with broad publish rights. The attacker then published malicious versions of approximately 20 packages, including @ctrl/tinycolor, containing a malicious postinstall script.

The Shai-Hulud self-propagating worm compromised several official @crowdstrike/ scoped npm packages as part of a broader 526-package wave. This record tracks the CrowdStrike package scope specifically. The malware hunted for GITHUB_TOKEN, NPM_TOKEN, and cloud credentials by executing TruffleHog, then propagated by hijacking publish rights to inject malicious postinstall scripts and republish affected packages.

The duckdb_admin npm account was compromised via a phishing email linking to a cloned npmjs site (npmjs.help), allowing attackers to bypass 2FA and inject a new API token. The attackers published malicious versions of DuckDB packages containing a wallet-drainer payload, attributed to the same threat actor behind the Qix compromise.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.

GitGuardian disclosed on 2025-09-05 that an attacker had injected malicious workflow files named "Github Actions Security" into 817 repositories across 327 GitHub user accounts. The injected workflows enumerated specific secret variable names referenced by each repo's legitimate CI/CD pipelines and exfiltrated them via HTTP POST to `bold-dhawan.45-139-104-115.plesk.page` (45.139.104.115). 3,325 secrets were stolen, including PyPI and npm publishing tokens, DockerHub credentials, GitHub PATs, AWS access keys, database credentials, and Cloudflare API tokens. 24 downstream packages (9 npm, 15 PyPI) were left at immediate risk of follow-on supply-chain compromise via the stolen publishing credentials.

The s1ngularity incident began with a vulnerable Nx GitHub Actions workflow that combined pull_request_target privileges with shell injection in pull-request metadata. The attacker used it to trigger publish.yml, run a malicious commit that leaked the npm token, and publish 19 malicious nx and @nx package versions. The postinstall payload harvested developer, GitHub/npm, SSH, environment, and wallet secrets, used local AI CLI tools to help find sensitive files, and exfiltrated data through public s1ngularity-repository GitHub repos. It also appended a shutdown command to shell startup files. Nx Console VS Code versions 18.63.x-18.65.x widened exposure by running nx@latest during the malicious publish window.

Attackers used the lookalike pypj.org domain to phish PyPI maintainers, steal credentials and 2FA codes, create a new API token, and upload malicious num2words releases. The first suspicious release, 0.5.15, appeared on PyPI without a matching GitHub tag, commit, or release. The later GitHub advisory confirmed that both 0.5.15 and 0.5.16 contained malware and were removed from PyPI. The incident is part of the broader Scavenger-era maintainer phishing wave.

A threat actor exploited an inappropriately scoped GitHub token in the extension's CodeBuild configuration to commit malicious code into the open-source repository. This code was automatically included in the version 1.84.0 release. Fortunately, the malicious code failed to execute due to a syntax error.

StepSecurity confirmed snyckit 0.11.9 as one of the npm packages affected by the July 2025 npnjs.com maintainer phishing campaign. The attacker used a phished maintainer credential path to publish malicious releases directly to npm without corresponding source repository changes. In the eslint-config-prettier cluster, the malicious package family executed install.js during installation and launched a bundled Windows DLL through rundll32 on Windows systems.

StepSecurity confirmed @pkgjs/core 0.2.8 as one of the npm packages affected by the July 2025 npnjs.com maintainer phishing campaign. The attacker used a phished maintainer credential path to publish malicious releases directly to npm without corresponding source repository changes. In the eslint-config-prettier cluster, the malicious package family executed install.js during installation and launched a bundled Windows DLL through rundll32 on Windows systems.

StepSecurity confirmed napi-postinstall 0.3.1 as one of the npm packages affected by the July 2025 npnjs.com maintainer phishing campaign. The attacker used a phished maintainer credential path to publish malicious releases directly to npm without corresponding source repository changes. In the eslint-config-prettier cluster, the malicious package family executed install.js during installation and launched a bundled Windows DLL through rundll32 on Windows systems.

Attackers running the npnjs.com npm phishing campaign hijacked an old maintainer account for the popular is package and used social engineering to regain package access: after the compromised old maintainer was removed, the attacker convinced current maintainers that npm had removed the account for missing 2FA, leading the account to be re-added. On July 19, 2025, the attackers published is 3.3.1 and 5.0.0. Reporting on the broader campaign describes the payload family as Scavenger, a cross-platform JavaScript loader that stole browser data, environment variables, and SSH keys and established an interactive remote shell via WebSocket.

As part of the expanding npm maintainer phishing campaign using the npnjs.com domain, attackers published rogue got-fetch 5.1.11 and 5.1.12 releases. StepSecurity's eslint-config-prettier incident update cited Checkmarx reporting that this package used a different Windows-focused payload than the earlier node-gyp.dll packages: the Pycoon information stealer delivered via crashreporter.dll. The malicious releases were deprecated, and the package was later marked deprecated on npm.

The same npnjs.com npm maintainer phishing campaign that compromised eslint-config-prettier also compromised eslint-plugin-prettier. StepSecurity confirmed eslint-plugin-prettier 4.2.2 and 4.2.3 as affected versions after maintainer JounQin reported that a phishing email led to a malicious npm token being added and used to publish compromised releases. The malicious package family executed install.js during installation and launched a bundled Windows DLL through rundll32 on Windows systems.

A phishing campaign targeting npm maintainers through the typosquatted npnjs.com domain compromised eslint-config-prettier. The attacker added a malicious npm token to maintainer JounQin's account and published eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 directly to npm without matching GitHub source changes. The malicious package executed install.js during installation and, on Windows hosts, launched bundled node-gyp.dll with rundll32. NVD assigned CVE-2025-54313 to the eslint-config-prettier compromise. Related packages from the same campaign are tracked separately in their own records.

Beginning 2025-06-06 at 16:33 EST, an attacker who obtained a Gluestack publishing token pushed malicious updates to 17 packages across the @gluestack-ui and @react-native-aria scopes — starting with @react-native-aria/focus 0.2.10 and continuing over the next ~36 hours. The payload was appended to `lib/index.js` after large blocks of whitespace and acted as a remote-access trojan capable of running shell commands, file upload/download, and on Windows hijacking Python by editing PATH. Combined weekly downloads exceeded one million. Aikido Security identified the backdoor on 2025-06-08 and Gluestack revoked the token.

Attackers compromised Notepad++ update infrastructure at the hosting provider layer and distributed malicious update.exe files through the trusted update path. Between June and October 2025, the operation delivered Cobalt Strike Beacons and Chrysalis backdoors to selected organizations in specific regions.

Attackers compromised the NPM account of the maintainer and published malicious versions of the rand-user-agent package. The compromised versions contained obfuscated code that installed a Remote Access Trojan (RAT), which established a connection to a command-and-control server. The malware could execute arbitrary commands, upload files from victims' machines, and modify the PATH environment variable to hijack Python execution.

Five malicious versions of the official Ripple JavaScript SDK were published to npm starting 2025-04-21 at 20:53 UTC by user `mukulljangid` after a maintainer credential compromise. The backdoor exfiltrated wallet seed phrases, mnemonics, and private keys via HTTP POST to `0x9c.xyz/xc` whenever Wallet objects were instantiated or derived. Early versions (4.2.1-4.2.2) injected the payload into compiled JavaScript; later versions (4.2.3-4.2.4) added it to TypeScript source so the backdoor compiled cleanly into builds. Aikido Intel detected the publishes and Ripple released clean v4.2.5 within ~24 hours.

A maintainer's personal access token (PAT) with repository write access was leaked from a compromised development environment. This potentially allowed attackers to modify the code of several `tj-actions`, including `changed-files`, used in GitHub Actions workflows. Such modifications could exfiltrate secrets or execute malicious code within users\' CI/CD pipelines.

Attackers compromised a contributor's Personal Access Token (PAT), traced back to an earlier leak from the SpotBugs project, which granted write access. They maliciously updated the `v1` tag of the official `reviewdog/action-setup` GitHub Action to point to malicious code (`f0d342d`). For approximately 2 hours, workflows using `@v1` executed this code, which dumped secrets (like GITHUB_TOKEN) from the runner environment into publicly accessible workflow logs. This incident was a precursor, enabling the compromise of the `tj-actions/changed-files` action.

An attacker compromised a Kong DockerHub Personal Access Token (PAT), likely via a CI/CD pipeline exploit ("Pwn Request" targeting an old branch). Using this token, they uploaded a malicious version of the official Kong Ingress Controller container image (v3.4.0) directly to DockerHub. This malicious image contained an XMRig cryptominer configured to mine Monero using the resources of clusters that pulled and ran the compromised image.

On 2024-12-19, the same day as the @rspack/core compromise and likely by the same actor, ten versions of the Chinese-origin Vue UI library `vant` were published to npm with obfuscated XMRig cryptojacking code beaconing to `80.78.28.72/tokens`. The compromise spanned three release lines (v2, v3, v4) — versions 2.13.3-2.13.5, 3.6.13-3.6.15, and 4.9.11-4.9.14 — leveraging a stolen npm publishing token. The maintainers released clean v4.9.15. Vant had ~46,000 weekly downloads at the time of the attack.

On 2024-12-19 at 02:01 UTC, an attacker with a compromised npm publishing token released v1.1.7 of `@rspack/core` and `@rspack/cli` containing heavily obfuscated postinstall code that fetched configuration from `80.78.28.72/tokens`, collected geolocation via ipinfo.io, and dropped XMRig configured to use 75% of CPU threads to mine Monero. Combined weekly downloads exceeded 500,000 (`@rspack/core` ~394k, `@rspack/cli` ~145k). The maintainers published v1.1.8 the same day removing the malicious code and deprecated v1.1.7. Sonatype linked it to a same-day vant compromise as likely the work of the same actor.

Attackers exploited a vulnerability in the project's GitHub Actions CI/CD workflow (combining `pull_request_target` trigger with command injection via unsanitized branch names). This allowed them to execute arbitrary code during the build/publish process and upload malicious versions of the official `ultralytics` package directly to PyPI. These compromised versions contained an XMRig cryptominer. Several malicious versions were published over a few days before being detected and removed.

Attackers compromised an NPM publish-access account, reportedly via spear-phishing a maintainer. They published malicious versions (1.95.6, 1.95.7) of the widely used `@solana/web3.js` package to NPM. The injected code captured private keys handled by dependent applications (especially bots or backend systems) and exfiltrated them to an attacker's server (`sol-rpc.xyz`), enabling cryptocurrency theft estimated around $160k USD.

The lottie-player npm package was compromised when attackers gained access to a developer's access token. They published three malicious versions (2.0.5, 2.0.6, 2.0.7) that prompted users to connect their Web3 wallets, enabling theft of cryptocurrency assets. The compromised versions were distributed via CDNs, affecting users who hadn't pinned specific versions.

Malicious code was injected directly into the Wrapper Link Element plugin repository on WordPress.org. The malware created a new administrative user account (Options or PluginAuth) to gain full administrative control over affected sites and injected malicious JavaScript into website footers to generate SEO spam.

Malicious code was injected directly into the Social Warfare plugin repository on WordPress.org. The malware created a new administrative user account (Options or PluginAuth) to gain full administrative control over affected sites and injected malicious JavaScript into website footers to generate SEO spam.

Malicious code was injected directly into the Simply Show Hooks plugin repository on WordPress.org. The malware created a new administrative user account (Options or PluginAuth) to gain full administrative control over affected sites and injected malicious JavaScript into website footers to generate SEO spam.

Malicious code was injected directly into the Contact Form 7 Multi-Step Addon plugin repository on WordPress.org. The malware created a new administrative user account (Options or PluginAuth) to gain full administrative control over affected sites and injected malicious JavaScript into website footers to generate SEO spam.

Malicious code was injected directly into the Blaze Widget plugin repository on WordPress.org. The malware created a new administrative user account (Options or PluginAuth) to gain full administrative control over affected sites and injected malicious JavaScript into website footers to generate SEO spam.

Attackers hijacked the GitHub account of a Top.gg maintainer using stolen browser cookies to bypass MFA. They modified the repository's requirements.txt to point to a poisoned version of the Colorama package hosted on a typosquatted domain (files.pypihosted.org). The malware stole credentials, discord tokens, and cryptocurrency data.

A sophisticated multi-year social engineering campaign resulted in an attacker gaining maintainership of xz utils. Malicious code was hidden in test files within the source repository and injected into the build process (configure script via m4 macro) only under specific conditions (x86-64 Linux, building .deb/.rpm with gcc/glibc). The backdoor targeted the OpenSSH server (sshd) linked against the compromised liblzma, enabling potential remote code execution by attackers possessing a specific private key.

After the popular polyfill.io domain was acquired by Funnull, the CDN began serving malicious JavaScript to selected visitors. The injected code redirected specific mobile users toward scam and gambling sites while avoiding administrative viewers, letting a browser compatibility service become a targeted traffic switch.

A former Ledger employee fell victim to a phishing attack, allowing attackers to access their NPM account and publish malicious versions of the @ledgerhq/connect-kit package. The payload contained a drainer that rerouted cryptocurrency funds to the attacker, affecting major dApps like SushiSwap and Revoke.cash.

The CurseForge account for 'Luna Pixel Studios', creators of the very popular 'Better MC' modpack series, was compromised. Attackers uploaded malicious versions of the modpacks (e.g., BMC3 for Forge 1.19.2). These modpacks either directly contained or pulled in dependencies infected with the 'Fracturiser' malware, leading to credential theft (Discord, Microsoft, Minecraft) and further malware propagation on users' systems.

A developer account with publishing rights for the popular 'When Dungeons Arise' Minecraft mod on CurseForge was compromised. Attackers uploaded a malicious JAR file disguised as a legitimate update. This file contained the 'Fracturiser' malware, designed to steal credentials (Discord, Microsoft, Minecraft) and spread to other JAR files on the user's system.

An account with publishing rights on BukkitDev for a popular plugin implementing 'Treecapitator' functionality was compromised. A malicious JAR file containing the 'Fracturiser' malware was uploaded, appearing as an update. This malware aimed to steal user credentials (Discord, Microsoft, Minecraft) and propagate itself by infecting other JAR files.

The CurseForge account associated with the 'Sky Villages' Minecraft mod was compromised. Attackers uploaded a malicious JAR file appearing as a legitimate update for the mod. This file contained the 'Fracturiser' malware, which steals various credentials and attempts to infect other JAR files on the victim's computer.

A developer account (`shyandlostboy81`) with publishing rights for the 'Simply Houses' Minecraft mod on CurseForge was compromised. Attackers uploaded a malicious JAR file disguised as a legitimate update. This file contained the 'Fracturiser' malware, designed to steal credentials (Discord, Microsoft, Minecraft) and spread to other JAR files on the user's system.

PyTorch nightly builds were compromised when a malicious torchtriton package was uploaded to PyPI and won dependency resolution over the intended internal package. The poisoned dependency executed during installation, exfiltrating sensitive build environment data and showing how one namespace collision can bend a trusted ML build.

The PyPI account for the exotel package maintainer was compromised during the JuiceLedger phishing campaign. Attackers uploaded version 0.1.6 with installation code that downloaded and executed infostealer malware, making a niche Python client a clean-looking vessel for credential theft across developer workstations.

The GitHub organization 'hautelook', which maintained a popular fork of the phpass PHP password hashing library, was deleted. An attacker later registered the 'hautelook' organization name and created a repository named 'phpass' with the same URL as the original. This new repository contained a malicious version of phpass designed to steal AWS credentials by exfiltrating environment variables. Packagist, which mirrored the original GitHub repository, then began serving this malicious version to users who updated the dependency.

An attacker gained access to the maintainer account for ctx, a small utility library, and published a malicious release. The payload hid in a test file but ran during installation, scraping environment variables and .npmrc credentials from machines that treated the package as harmless plumbing.

The maintainer added protestware to node-ipc, a widely used interprocess communication library, targeting users resolving from Russian or Belarusian IP addresses. The code attempted to recursively overwrite files with a heart character during normal package use, turning geopolitical protest into selective data destruction that could ripple through dependent JavaScript applications.

The maintainer intentionally introduced an infinite loop and breaking changes into colors.js, a tiny library with millions of weekly downloads. The protest act printed strange characters, broke dependent applications, and caused denial of service in normal startup paths. Its impact came from dependency gravity; small utilities can sit beneath enormous production surfaces.

The maintainer of faker.js intentionally sabotaged the project, force-pushing an endgame commit and publishing version 6.6.6 to npm in a broken, largely non-functional state. The protest disrupted a library with millions of weekly downloads and exposed how development, testing, and production systems can depend on unpaid maintainers as silent critical infrastructure.

The rc configuration loader was compromised indirectly after attackers gained control of coa, one of its dependencies, and published malicious releases. When rc moved onto the poisoned coa versions, it began carrying password-stealing malware transitively, proving that a clean package can still ship dirty code.

Attackers compromised maintainer credentials for the coa command-line argument parser and published malicious versions with Windows-focused password-stealing malware. The package's quiet place in dependency trees amplified the blast radius, pulling downstream consumers such as rc into the same poisoned npm current.

The maintainer's npm account was compromised, allowing attackers to publish malicious versions of ua-parser-js, a library embedded across millions of weekly installs. The payload stole OS passwords, browser cookies, and Discord tokens, then installed a cryptominer on Linux and Windows. Its danger came from reach; user-agent parsing had become quiet infrastructure.

On 2021-09-17 a contractor with merge access to the SushiSwap MISO (Minimal Initial Sushi Offering) launchpad GitHub repository pushed a single-line code change that swapped the auction's payout address with their own. Approximately 864.8 ETH (~$3 million at the time) raised through the Jay Pegs Auto Mart NFT auction was diverted to the attacker before SushiSwap engineers detected and reverted the commit. Because the attacker's wallet address was a known contractor wallet, SushiSwap was able to identify them and the funds were returned within hours.

The website of AccessPress Themes (also known as Access Keys), a vendor of numerous popular WordPress themes and plugins, was compromised. Attackers injected a backdoor into the downloadable zip files of dozens of their themes and plugins hosted on their site. This backdoor allowed attackers full control over websites that installed or updated these compromised extensions.

Attackers compromised the self-hosted `git.php.net` server. They pushed two malicious commits directly to the php-src repository ('main' branch). These commits attempted to insert a backdoor enabling remote code execution, disguised as typo fixes. The commits were detected quickly and did not impact any released version. PHP migrated to GitHub afterwards.

After original maintainer Dean Oemcke transferred ownership to an anonymous buyer in June 2020, the new owner published v7.1.8 to the Chrome Web Store containing tracking and remote-code-loading functionality that was never present in the open-source repository. The extension intercepted web requests for tracking and ad fraud, and could load arbitrary code from a remote server. Google removed it from the Chrome Web Store and force-disabled it for users on 2021-02-04; Microsoft pulled it from Edge for malware shortly before. Approximately 2 million users were affected.

Similar to the 'rest-client' incident around the same time, the 'strong_password' Ruby gem had a malicious version published. This compromised version contained a backdoor designed to steal environment variables and potentially execute code. It's suspected the same actor compromised both gems.

A maintainer's RubyGems.org account was compromised through password reuse, allowing attackers to publish malicious versions of the rest-client gem. The backdoor exfiltrated environment variables and accepted remote commands, turning a familiar HTTP client into a small control plane inside Ruby applications.

Webmin's build infrastructure was compromised, and attackers modified useradmin/password_change.cgi before official releases were produced. The inserted backdoor enabled unauthenticated remote command execution through the password change form, quietly riding multiple signed-looking releases over several months before public discovery by users.

The popular bootstrap-sass Ruby gem had malicious version 3.2.0.3 published to RubyGems.org after a likely maintainer account compromise. Rails applications that accepted the poisoned release inherited a backdoor in production code paths, turning a front-end asset dependency into a remote command execution channel.

The maintainer's npm account for mailparser was compromised, and malicious version 0.1.2 was published to the registry. Its install path attempted to download and execute an OS-specific binary from an external server, but the package was removed within an hour and saw fewer than 100 downloads.

On 2018-09-14, phpBB confirmed that download links on phpbb.com for the freshly-released 3.2.4 release (`phpBB-3.2.4.zip`, `phpBB-3.2.4.tar.bz2`) had been redirected to a third-party server hosting a trojanized archive containing additional code that opened a backdoor. The compromise was on the project's own site rather than the source code or build pipeline; clean files on the project's mirrors and Composer-installed copies were unaffected. phpBB pulled the malicious links within hours of discovery and rotated download URLs.

The 'event-stream' npm package maintainership was transferred via social engineering to an attacker who then added 'flatmap-stream@0.1.1' as a dependency in 'event-stream@3.3.6'. This new dependency contained obfuscated, malicious code specifically designed to steal cryptocurrency (Bitcoin, Bitcoin Cash) from users of the Copay Dash wallet application by exfiltrating wallet data and private keys if balances exceeded certain thresholds.

GitHub Security Lab disclosed on 2020-05-28 that 26 open-source NetBeans projects hosted on GitHub had been backdoored by a self-spreading Java malware dubbed Octopus Scanner. When a developer opened an infected NetBeans project, the malware identified other NetBeans projects on the host and dropped a malicious payload (`cache.dat`) into their build configurations so that subsequent JAR builds — including those committed back to GitHub — also shipped a remote-access trojan. The implant established C2 over an HTTPS reverse shell. Affected repositories had been hosting the implant for months; samples persisted in commit history.

The electron-native-notify package was compromised with code that opened a reverse shell to the attacker's server. Because the package sat beneath Electron applications, including the Agama cryptocurrency wallet, the backdoor moved transitively; a small notification dependency became the hidden wire into larger desktop software.

The Agama cryptocurrency wallet application inadvertently included a compromised version of the `electron-native-notify` NPM package (v1.1.6) as a dependency in its builds. This resulted in official Agama wallet releases containing a backdoor (reverse shell) inherited from the dependency, potentially allowing attackers remote access and theft of wallet seeds or private keys.

An attacker compromised the npm account of an ESLint maintainer and published malicious versions of eslint-scope and eslint-config-eslint. The injected code searched developer machines for .npmrc authentication tokens, aiming to turn one trusted maintainer account into many future publishing keys.

An attacker gained control of Gentoo's GitHub organization administrator account (reportedly 'risacher' via password guessing). The attacker modified content, including ebuilds for 'portage' and 'musl-dev' in the main Gentoo ebuild repository, replacing them with malicious versions designed to execute 'rm -rf /' which would attempt to remove all files from users' systems. Access was quickly regained and changes reverted.

The official go-pear.phar installer on pear.php.net was replaced with a malicious version and left in place for roughly six months. Anyone bootstrapping PEAR from the trusted server risked executing a backdoored installer, a thin bootstrap script turned into a long-lived foothold.

Attackers compromised infrastructure related to the Vesta Control Panel, allowing them to inject malicious code into update scripts or packages delivered to users. The malicious code executed commands, collected server passwords (including VestaCP admin and FTP passwords), and sent the stolen data to the attackers' server.

An official HandBrake download mirror, download.handbrake.fr, was compromised while hosting the macOS release. The HandBrake-1.0.7.dmg image was replaced with a malicious build carrying the Proton RAT, so Mac users following the expected mirror path received remote-access malware instead of video tooling.

Months after the KeRanger incident, Transmission's website was compromised again. This time, the legitimate macOS installer for version 2.92 was replaced with a malicious version containing the OSX/Keydnap backdoor. Keydnap aimed to steal keychain credentials and establish persistent remote access.

FossHub's distribution platform was compromised, and Classic Shell downloads were swapped for a destructive installer. Users who trusted the official download path received code that rewrote the master boot record, collapsing a familiar Windows utility into a boot-failure payload delivered through the software mirror.

The official Transmission BitTorrent website was compromised, and attackers replaced the macOS installer for version 2.90 with a malicious disk image. Users following the trusted download path received OSX.KeRanger ransomware, which encrypted files after installation and made the release channel the first stage.

The Linux Mint website, specifically its WordPress installation, was compromised. Attackers modified download links on the site for the Linux Mint 17.3 Cinnamon edition ISO. These links redirected users to a server hosting a modified ISO containing the Tsunami backdoor, giving attackers remote control over infected machines.

EVA Information Security discovered three critical CocoaPods vulnerabilities that had existed for nearly a decade. The flaws allowed orphaned package takeover, Trunk server code execution through email validation, and zero-click account takeover. Because CocoaPods sits under a vast iOS and macOS dependency graph, exploitation could have redirected trusted mobile builds at registry scale.

The infrastructure serving downloads and updates for the OpenX Source ad server software was compromised. Attackers modified official software packages to include malicious code. This code redirected website visitors viewing ads served by compromised OpenX servers to the Styx exploit kit, infecting end-users.

During a platform-level compromise of RubyGems.org (exploiting server vulnerabilities), attackers gained root filesystem access and replaced the legitimate 'gem-wrappers' gem file (v1.1.0) with a malicious version. This trojaned version, with malicious code inserted into 'gemutils.rb', contained obfuscated code (using eval(Zlib::Inflate.inflate(Base64.decode64(...)))) that acted as a backdoor. The backdoor listened on UDP port 53, accepted clear text commands, and allowed remote command execution via eval() on systems that installed or updated to the compromised gem during the incident window.

An official phpMyAdmin download mirror on SourceForge was compromised, and attackers replaced phpMyAdmin-3.5.2.2-all-languages.zip with an archive containing the server_sync.php backdoor. Users who landed on that mirror received a poisoned administrative tool through a legitimate distribution lane for database operators and maintainers.

The FTP server hosting the official vsftpd source code tarballs was compromised. For a brief period, the download for vsftpd version 2.3.4 was replaced with a version containing a backdoor. This backdoor opened a listening shell on TCP port 6200 when a username ending in ':)' was used to log in.

The main FTP server distributing the ProFTPD source code (`ftp.proftpd.org`) was compromised. Attackers replaced the legitimate source code tarball for ProFTPD version 1.3.3c with a modified version containing a backdoor. Compiling and running this version would allow attackers remote root access.

The official distribution tarball for UnrealIRCd version 3.2.8.1 was replaced with a backdoored version on official download mirrors. The backdoor was hidden within the source code and allowed anyone to execute arbitrary commands with the privileges of the user running the IRC daemon by sending a specific AB;/COMMAND sequence to the server.

Downloads of phpMyAdmin obtained from certain compromised SourceForge mirrors contained injected malicious JavaScript code within legitimate files (like js/cross_framing_protection.js). When an administrator used the compromised phpMyAdmin installation, this JavaScript executed in their browser, potentially redirecting them or loading external malicious content. This was separate from a later backdoor incident in 2012.

Shortly after its release, the official WordPress 2.1.1 download package (`.zip`) hosted on wordpress.org was compromised by attackers who gained access to a web server. Obfuscated malicious PHP code was injected into core files (`wp-includes/vars.php` and possibly `wp-includes/theme.php`), creating a backdoor. This backdoor allowed remote attackers to pass arbitrary PHP code via specific request parameters (like `ix` or `iz`) for execution on the server, effectively granting them control over sites that installed the compromised package. The WordPress team detected the compromise quickly, removed the malicious package, and released version 2.1.2 with fixes and additional security hardening.

A compromised SourceForge mirror distributed a modified Webmin 1.290 archive. The tampered release carried a backdoor in /usr/libexec/webmin/openiscsi/edit_args.cgi, allowing crafted HTTP requests to reach remote command execution as root through software that administrators had downloaded from a trusted public mirror.

An attacker attempted to insert a subtle backdoor into the Linux kernel source (kernel/exit.c) via the BitKeeper/CVS system. The change involved a two-line modification to the sys_wait4 function. If a call to wait4() was made with specific options (options == (__WCLONE|__WALL)), an additional check (`current->uid = 0`) would execute. This check, an assignment rather than a comparison, would set the calling process's UID to 0, granting root privileges. The attempt was detected and reverted before inclusion in any release.

The official Sendmail FTP server (`ftp.sendmail.org`) was compromised, and the source code tarballs for version 8.12.6 (`.tar.gz` and `.tar.Z` files) were replaced with trojanized versions. The malicious code, reportedly activated during the compilation process, connected to a remote IRC server (port 6667) and potentially allowed remote shell access for the attacker. The compromised files were available for approximately one week.

Malicious code was discovered in OpenSSH distribution files on the official OpenBSD FTP server. The trojan was inserted into the source code archives and would activate during compilation, connecting to a remote server on IRC port 6667 and allowing arbitrary command execution. The backdoor was discovered quickly and the compromised files were replaced with clean versions before widespread damage could occur.

The official source code distribution tarball for tcp-wrappers version 7.6 (`tcp_wrappers_7.6.tar.gz`) was replaced with a trojaned version on several FTP distribution sites, including the primary site at the time (Eindhoven University). The backdoor provided root access to attackers initiating connections from source port 421 and also sent system information via email upon compilation.

The official FTP server (ftp.irc.org) hosting the ircII source code was compromised. The `ircii-2.8.2.tar.gz` distribution was modified; specifically, the file `ircd/s_bsd.c` had a backdoor inserted. This backdoor connected to IP 198.168.253.139 on TCP port 30000 and attempted to start an interactive shell (`/bin/sh -i`), allowing remote access with the privileges of the user running ircII.

The source code distribution for the popular wu-ftpd FTP server was modified by an attacker to include a backdoor. This trojaned version was then uploaded to the primary distribution site. The backdoor allowed attackers who knew the trigger mechanism to gain root privileges on systems that compiled and ran the compromised server.

In his 1983 Turing Award lecture (published 1984), Ken Thompson described an experiment he likely implemented years earlier at Bell Labs. He modified the Unix C compiler (`cc`) binary to insert a backdoor into the `login` program during compilation. The compiler was also modified to recognize its own source code and inject both the `login` backdoor logic and the self-replicating compiler modification into any newly compiled compiler binary, even from clean source. This practical demonstration highlighted the fundamental vulnerability of trusting software built with potentially compromised toolchains.

ANIMAL was one of the earliest documented examples of a self-replicating "trojan horse" program. Created by John Walker, it presented as a simple "20 questions" game guessing animals but secretly searched the system for other terminals and copies of itself. When run on a clean system, it would install a "Trojan Horse" version of itself in the user's account, gradually propagating throughout the system.