TL;DR
- Microsoft identified two compromised npm packages that secretly distributed malware capable of stealing cryptocurrency wallet credentials, keystrokes, screenshots, and other sensitive information.
- The attackers reportedly used Hugging Face repositories to exfiltrate stolen data, making the activity harder to detect.
- The discovery highlights growing software supply-chain risks for developers while reinforcing the importance of self-custody security practices and careful verification of third-party dependencies.
Microsoft has uncovered a new malware campaign targeting developers through compromised npm packages, adding to concerns surrounding software supply-chain security. The malicious code was designed to steal sensitive information, including cryptocurrency wallet credentials, while remaining hidden inside tools that appeared legitimate.
Compromised npm packages ([email protected], [email protected]) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials.
Indicators of compromise… pic.twitter.com/e3kzcStZUg
— Microsoft Threat Intelligence (@MsftSecIntel) June 3, 2026
According to Microsoft Threat Intelligence, the affected packages, identified as [email protected] and [email protected], distributed a remote access trojan capable of collecting keystrokes, screenshots, login credentials, and crypto-related data from infected systems. Since npm is one of the world’s largest software registries, compromised packages can potentially reach a significant number of developers who unknowingly install infected dependencies.
Microsoft Reveals Crypto-Focused Supply Chain Attack
The campaign is particularly relevant for cryptocurrency users and blockchain developers. Development machines often contain browser wallets, API credentials, cloud access tokens, and source code repositories connected to digital asset projects. If attackers gain access to these resources, they may compromise wallets, development infrastructure, or automated trading systems.
Microsoft reported that the malware used Hugging Face repositories as part of its data exfiltration strategy. By sending stolen information through a trusted artificial intelligence platform, the attackers reduced the likelihood that their activity would immediately attract attention from security monitoring systems.
The incident reflects a broader trend in which cybercriminals increasingly target software supply chains rather than individual users. Instead of attacking victims directly, threat actors attempt to compromise commonly used development tools and dependencies that can provide access to a much larger pool of potential targets.
Open Source Security Challenges Continue To Grow
The latest discovery follows several recent campaigns targeting cryptocurrency and artificial intelligence developers. Security researchers have previously identified malicious packages across npm, PyPI, and Rust ecosystems that attempted to collect wallet credentials, SSH keys, and cloud access credentials.
While these attacks create risks for users, they do not expose weaknesses in blockchain networks themselves. In most cases, attackers focus on stealing credentials from endpoints and user devices rather than attempting to break the cryptographic foundations that secure digital assets.
Microsoft recommends reviewing installed packages, removing suspicious dependencies, rotating potentially exposed credentials, and monitoring wallet activity for unauthorized transactions. Security experts also advise storing seed phrases offline and carefully verifying software sources before installation.
