The Timeline
This is not a curated list of the worst attacks. This is every documented npm supply chain compromise in the first half of 2026. The pace is the story.
February 2026
dYdX: npm and PyPI packages compromised — @dydxprotocol/v4-client-js versions 3.4.1, 1.22.1, 1.15.2, 1.0.31 delivered wallet stealers and RAT malware. Cline CLI 2.3.0: unauthorized npm publish token used to add a postinstall script installing OpenClaw across developer machines.
March 2026
Axios: versions 1.14.1 and 0.30.4 poisoned by North Korean group UNC1069. Cross-platform backdoor targeting Windows, macOS, Linux. The attacker cloned the company founder's identity, created a fake Slack workspace, and social-engineered the maintainer. Axios is downloaded 40M+ times per week. nx: developer's GitHub token stolen through compromised package. Attackers achieved AWS admin access within 72 hours via OIDC trust abuse. GlassWorm: 72 malicious VS Code extensions discovered, delivering payloads through extension dependency chains.
April 2026
Bitwarden CLI @bitwarden/[email protected]: compromised GitHub Action in CI/CD pipeline. Malicious code stealing GitHub/npm tokens, SSH keys, .env files, cloud secrets. SAP-related packages ([email protected], @cap-js/[email protected]): Mini Shai-Hulud campaign executing malicious Bun binaries via preinstall scripts. Checkmarx: KICS Docker images and VS Code extensions modified with data exfiltration. CanisterSprawl: self-propagating worm using ICP canister for resilient command-and-control.
May 2026
TanStack + Mistral AI + Guardrails AI: Mini Shai-Hulud worm targeting cloud providers, crypto wallets, CI systems. Two OpenAI employee devices impacted. Nx Console 18.95.0: VS Code extension with 2.2 million installations — multi-stage credential stealer deployed to every developer who updated. Megalodon: 5,718 malicious commits pushed to 5,561 GitHub repositories, harvesting CI secrets, cloud credentials, and SSH keys. Sicoob NuGet: banking credential theft expanding beyond npm to .NET ecosystem.
June 2026 — The Month Everything Escalated
June 1: Miasma hits Red Hat. 32 packages under @redhat-cloud-services compromised with 90+ malicious versions. Credential-stealing worm targeting GitHub, npm, AWS, Azure, GCP tokens. The attackers forged SLSA provenance attestations — the supply chain integrity standard designed to prevent exactly this. The compromised employee credential had been in infostealer logs since April 13. Seven weeks of exposure before the attack.
June 3: Miasma Wave 2 introduces Phantom Gyp. Instead of preinstall hooks (which security scanners watch), a 157-byte binding.gyp file uses gyp's command substitution to execute code during npm install. 57 packages hit in under two hours, including @vapi-ai/server-sdk (408,000+ monthly downloads). Every lifecycle script scanner: bypassed.
June 3-4: IronWorm. A parallel, technically independent campaign. 37 packages trojanized with Rust-based stealer, eBPF kernel rootkit, Tor-based C2. Sweeps 86 environment variables including every 2026-era AI provider key — Anthropic, OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, xAI. Published from the asteroiddao account targeting crypto/web3 developers.
June 5: Miasma skips npm entirely. A compromised contributor pushes .mcp.json and IDE config files to Azure/durabletask. When developers open the repo in Claude Code, Cursor, or Gemini CLI — no npm install required — the payload harvests credentials. GitHub disables 73 Microsoft repositories across four organizations in 105 seconds. Every GitHub Actions workflow referencing Azure/functions-action@v1 breaks globally.
June 7: The worm jumps ecosystems. Socket identifies 37 malicious PyPI wheels using Python .pth startup hooks to launch Bun-powered credential stealers. The Hades wave targets established bioinformatics tools — dynamo-release, spateo-release, coolbox. Total Shai-Hulud campaign artifacts across both registries: 448.
May 2026 — The Source Code Went Public
May 12: TeamPCP publicly released the fully weaponized Mini Shai-Hulud source code — CI cache-poisoning scripts, credential stealer, self-propagation logic. The npm supply chain worm is now open source. Seven days later, compromised account 'atool' published 639 malicious package versions across 323 unique packages in one hour — the largest single-hour attack in npm history.
The Pattern
Four things accelerated in H1 2026. First: attacks moved from obscure packages to mainstream ones — Axios, Bitwarden, TanStack, Red Hat, Microsoft Azure, SAP. The target selection went upmarket. Second: self-replication. IronWorm and Miasma don't just steal credentials — they use those credentials to compromise more packages, creating worms that propagate through the developer ecosystem. Third: the kill chain deepened. Stolen npm tokens lead to GitHub access, which leads to CI/CD secrets, which leads to cloud infrastructure. One compromised package, AWS admin in 72 hours. Fourth — and newest: the worm learned to jump. npm to PyPI. Package registries to IDE configs. The attack surface is no longer one ecosystem.
What This Means for Framework Choice
Every JavaScript framework — React, Next.js, Angular, Vue, Nuxt, Astro, SvelteKit — depends on npm. A typical Next.js project has 500-800+ dependencies in node_modules. Each one is a potential entry point for the next IronWorm.
This is not a reason to stay on WordPress — WordPress has its own, well-documented supply chain crisis (six CVSS 9.8 vulnerabilities exploited simultaneously in June 2026). It is a reason to factor supply chain depth into framework decisions. Hugo (compiled Go, zero npm runtime dependencies) has materially smaller supply chain exposure than any JavaScript framework. Django and Flask depend on pip — and the Hades wave just proved PyPI is no longer 'historically less targeted.'
Thirty attacks in six months. The worm source code is public. The worm jumps ecosystems. This is not a wave. It's the new normal.
