{"campaigns":[{"attributed":6365,"description":"npm packages shipping a Windows PE (SMTP bulk-mailer/credential-checker) as the package main entry, with no source code or documentation.","ecosystem":"npm","first_seen":1747872000,"id":"nolimit-binary","name":"@nolimit-x binary payload","source":"osv"},{"attributed":2156,"description":"Coordinated mass-publish of 36 npm packages from publisher asteroiddao with preinstall hooks invoking relative binary paths. Detected by PkgRadar at 01:05 UTC 2026-05-26.","ecosystem":"npm","first_seen":1748217600,"id":"asteroiddao","name":"asteroiddao npm campaign","source":"pkgradar"},{"attributed":1866,"description":"Three npm packages from publisher devcarron shipping identical postinstall droppers fetching a Windows PE via IPFS within a 4-minute burst.","ecosystem":"npm","first_seen":1748131200,"id":"clob-dropper","name":"Clob dropper","source":"pkgradar"},{"attributed":1516,"description":"Python packages periodically monitoring clipboard for cryptocurrency seed phrases and exfiltrating them to a remote endpoint.","ecosystem":"pypi","first_seen":1748563200,"id":"bittensor-clipboard","name":"Bittensor clipboard stealer","source":"osv"},{"attributed":1002,"description":"Self-propagating worm targeting PyPI packages. Uses .pth startup hooks and/or the Bun JS runtime to run obfuscated JavaScript credential-stealers on every Python invocation post-install.","ecosystem":"pypi","first_seen":1748217600,"id":"shai-hulud-pypi","name":"Shai-Hulud (PyPI)","source":"osv"},{"attributed":202,"description":"npm worm that abuses binding.gyp action targets to execute credential-stealing shell commands during node-gyp compilation, bypassing lifecycle-script inspection.","ecosystem":"npm","first_seen":1748822400,"id":"miasma","name":"Miasma worm","source":"osv"},{"attributed":10,"description":"Self-replicating npm worm written in Rust. Ships a compiled binary via preinstall. Steals 86 env vars + 20 credential files, beacons over Tor, hides behind an eBPF rootkit, propagates via npm Trusted Publishing.","ecosystem":"npm","first_seen":1749081600,"id":"ironworm","name":"IronWorm","source":"external"},{"attributed":1,"description":"Compromised GitHub Actions OIDC trusted publisher for npm scoped packages. Injects heavily obfuscated preinstall hooks (ROT-9 → AES-128-GCM → obfuscator.io) to steal developer secrets.","ecosystem":"npm","first_seen":1748476800,"id":"mini-shai-hulud","name":"Mini Shai-Hulud (npm)","source":"osv"}]}