Suspected Hijacked Developer Accounts Spread npm Malware

Summary

Sonatype discovered a sophisticated campaign exploiting compromised npm developer accounts to distribute two malicious packages, sbx-mask and touch-adv, designed to steal API keys, passwords, and environment variables from developer machines. The malware exfiltrated stolen credentials via webhook to a specific email address before GitHub's security team removed the packages on March 19, 2026. Developers who installed these packages are at risk and should immediately rotate credentials and monitor for unauthorized access.

Full text

Security MalwareSuspected Hijacked Developer Accounts Spread npm Malware Sonatype uncovers a sophisticated malware campaign using hijacked npm developer accounts to steal API keys and passwords. Is your dev environment at risk? byDeeba AhmedMarch 26, 20262 minute read Hackers have found a new way to exploit the software world, and this time, they’re using our own trust against us. Researchers at Sonatype have just caught a nasty campaign where legitimate developer accounts were hijacked to spread malicious code. This wasn’t just a random person making a fake app; it looks like a targeted takeover of established creators to inject tampered tools into the system without anyone noticing. In a report shared with Hackread.com, the firm identified two dangerous packages named sbx-mask and touch-adv. These were quietly published to the npm registry (a massive library of code used by millions) to act as a digital backdoor into a developer’s machine. Researchers found that these two packages were essentially programmed to act like credential stealers. Once they get onto a computer, they hunt for “environment variables,” which are hidden areas where a computer stores its most private keys, like passwords, API tokens, and login credentials for cloud services. The two threats, which Sonatype is tracking under the codes Sonatype-2026-001275 and Sonatype-2026-001276, didn’t behave the same way. The sbx-mask package was bold; it triggered its theft the second it was downloaded. On the other hand, touch-adv was more undercover. It stayed quiet until the developer actually started using the software, making it much harder to spot during a quick scan. Via Sonatype Further investigation revealed a very clear trail of where the stolen secrets were being sent. The malware was caught directing data to a specific email address, [email protected], and using a tool called a webhook to move the information out. As soon as the team realised what was happening, they moved fast and reported it to GitHub’s Security Incident Response Team on March 19, 2026. While the dangerous files have since been kicked off the public platform, they might still be sitting in the private folders of any developer who downloaded them recently. This shows that avoiding unknown apps might not be enough, even trusted developers can be used to spread malicious code. If you installed these packages, change your passwords and check for unusual network activity right away. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience… Cyber AttackCybersecurityDeveloperMalwareNPMSonatype Leave a Reply Cancel reply View Comments (0) Related Posts Read More Hacking News Cyber Attacks Data Breaches Leaks Security Hackers Breach Telefonica Network, Leak 2.3 GB of Data Online Telefónica faces a data breach impacting its internal systems, linked to hackers using compromised credentials. Learn more about this alarming cyber threat. byWaqas Read More Artificial Intelligence Security Microsoft is Opening AI-Powered “Copilot for Security” to Public Microsoft's Copilot for Security will be accessible through a pay-as-you-use licensing model. byWaqas Read More Security Apple Cyber Attacks News iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers Triangulation of Terror: Inside the Most Sophisticated iPhone Spyware Campaign Ever Seen. byDeeba Ahmed Security Cyber Attacks Official website of Russian Parliament, MoD and Kredmlin go offline The Kremlin domain is the official website of President Vladimir Putin which according to NetBlocks is among the… byWaqas

Indicators of Compromise

• malware — sbx-mask
• malware — touch-adv