ctipilot.ch
← Back to the live brief
NOTABLENATOB2research

npm supply-chain payload hides as runtime 'telemetry' with no install hook — defeating install-time dependency scanners

discovered 2026-07-10 12:53 UTCrun 2026-07-10T1228Z-intel1 sourcesingle-source

Aikido Security published (2026-07-09) a teardown of a compromised npm release of @injectivelabs/sdk-ts — an SDK pulling ~50,000 weekly downloads — that is notable less for its payload's purpose than for how it hid (Aikido Security, 2026-07-09). Introduced via what Aikido assesses as a GitHub account takeover (commits from an account with an established history), the malicious version was live for under an hour on 2026-06-08 before the maintainer reverted it, but in that window the attacker also republished the same version number across 17 other packages in the scope, each pinning the poisoned SDK — so any project depending on one of them resolved the stealer transitively without naming it directly.

The payload runs no install-time script. Diffed against the clean build, the artifacts differ by one injected block and two one-line hooks placed inside the SDK's own key-derivation entry points; each hook "fires before the real derivation runs, so the secret is captured on every legitimate call" during normal application use (Aikido, 2026-07-09). Because "the trigger is key derivation at runtime and not a lifecycle script, install-time scanners and sandboxes that only watch postinstall see a clean package" — the single most important detail for defenders, since it defeats the exact control (install-hook / postinstall inspection) that most software-composition-analysis programmes lean on. The exfiltration was built to blend in: the destination host was stored as an array of character codes and reassembled at runtime to defeat plaintext string search, the captured material was base64-batched and sent inside an HTTP request header (not the body) with a content type matching the SDK's own gRPC-web API calls, and every failure path swallowed errors silently. The injected block was even documented in its own comment as "anonymized usage metrics for SDK optimization".

Because the trigger is key derivation at runtime and not a lifecycle script, install-time scanners and sandboxes that only watch postinstall see a clean package.

Each hook fires before the real derivation runs, so the secret is captured on every legitimate call

The malicious `1.20.21`was published at 22:59 GMT+2 on June 8, 2026, the maintainer reverted the change at 23:18, and a clean version was published at 23:48.

Aikido Security 2026-07-09

Defender actions

  • Do not treat a clean install-time (postinstall) scan as sufficient for npm dependencies — this payload had no lifecycle hook. Add build-artifact-vs-source diffing (compare the shipped dist/ output against the repository source) to catch code injected only into the compiled artifact.
  • Audit transitive dependencies, not just direct ones: 17 of the 18 affected packages carried no malicious code of their own but pinned the poisoned SDK, so a project could pull the stealer without ever naming it. Pin exact versions and verify via build provenance/attestation (npm provenance, Sigstore) rather than trusting the registry alone.
  • Add runtime egress monitoring for dependency processes making outbound calls to hosts that merely resemble a vendor's real API domain, and for unusual data carried in custom HTTP request headers rather than the body.

ATT&CK mapping

4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1195.002Supply Chain Compromise: Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1056.004Input Capture: Credential API Hooking

Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.

overlap matrix · ATT&CK page ↗

Collection TA0009
T1056.004Input Capture: Credential API Hooking

Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1132.001Data Encoding: Standard Encoding

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.

overlap matrix · ATT&CK page ↗

Exfiltration TA0010
T1041Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.