I built an automated scanner that monitors new npm packages in real time. Ran it for 24 hours against ~2000 recent registry changes and it flagged 21 malicious packages across 11 campaigns.
Four of them use attack techniques I haven't seen documented before, all targeting AI coding assistants.
The Findings
1. LLM API Man-in-the-Middle — A package overwrites ~/.claude/ on install and redirects all Claude API traffic through an attacker-controlled proxy. Every prompt and response passes through their server.
2. Encrypted Skill Backdoor — A package downloads encrypted payloads from a remote API and installs them as Claude Code skills. The payloads can't be inspected, and the server can swap them anytime without updating the npm package.
3. RAT Disguised as AI Coding Tool — Two packages ship polished coding assistant CLIs but route everything through an attacker's ngrok tunnel. Users grant full filesystem access voluntarily because they think it's a legit AI tool.
4. Redis + Raw Disk Read via postinstall — Six fake Strapi plugins use Redis to write shell payloads, open reverse shells, and read raw disk via dd to steal SSH keys and crypto wallets.
Other Catches
Dependency confusion targeting Verisign, a commercial phishing toolkit with 95 versions, credential stealers behind fake React components, and obfuscated packages impersonating ByteDance's npm scope.
None were flagged by npm, Snyk, or Socket at time of discovery.
Quick Check
If you use AI coding tools, check for unauthorized config files:
bash
ls ~/.claude/commands/
ls ~/.cursor/
ls ~/.continue/config/
Full technical reports with IOCs and MITRE mappings: yuribm.dev/security
Top comments (1)
Full technical reports with IOCs and MITRE mappings: yuribm.dev/security