Cybersecurity Startup Publishes Infostealers to NPM | OpenSourceMalware
In late June 2026, a threat actor published several packages to NPM over the course of two days. When we started researching these packages, we realized we already had some threat reports for malware attributed to the same publisher. There are at least seven different packages, and several versions per package, that appear to be elaborate typosquats targeting Anthropic, LangChain, Ollama, OpenAI, Vercel and Aspect Security. They've racked up about 20k downloads, which aren't huge numbers but enough to do some damage. Every install triggers the beacon at least once, so each number below is also a floor on how many developer machines got profiled.<br>What’s even stranger is that these malicious packages appear to have been published by the founder of a cybersecurity startup based in Israel.<br>We analyzed the packages to identify what they do, what they're looking to steal, and also to understand the motivation of the author.<br>While the payloads in these packages don't install remote access trojans (RATs) or other persistence mechanisms, these packages act as infostealers, exfiltrating sensitive information about the victim and their local environment to a URL owned by the threat actor.<br>Okay, let’s dig in!<br>The packages<br>All six packages are published to npm under a single account (more on the account below). Five packages are clear impersonations of legitimate AI developer ecosystem, which represents the fastest-growing, tool-hungriest population on npm today.<br>anthropic-toolkit copycats @anthropic-ai/sdk
ai-sdk-helpers copies Vercel’s ai
@langgraphjs/toolkit swaps the real @langchain/langgraph scope for something that looks close enough at a glance
ollama-helpers and openai-agents-helpers piggyback on their obvious hosts
The sixth targets a security-adjacent audience: developers implementing password hashing. It's the odd one out in every way that matters, and we’ll come back to it after we’ve walked through what the AI-SDK packages do — because @aspect-security/argon2 is where this operator was two months earlier, and comparing the two gives us a rare look at how a threat actor iterates on a technique.<br>Package<br>Impersonates<br>First published<br>Latest version analyzed<br>Downloads last week<br>(2026-06-22 → 06-28)<br>Downloads last month<br>(2026-05-30 → 06-28)<br>anthropic-toolkit<br>Anthropic Claude SDK<br>June 2026<br>1.3.0<br>ai-sdk-helpers<br>Vercel’s ai SDK<br>June 2026<br>1.4.4<br>2,213<br>7,930<br>ollama-helpers<br>Ollama (local LLM runner)<br>June 2026<br>1.2.2<br>2,692<br>2,692<br>openai-agents-helpers<br>OpenAI Agents SDK<br>June 2026<br>1.3.2<br>3,108<br>3,108<br>@langgraphjs/toolkit<br>LangChain’s LangGraph.js<br>June 2026<br>1.2.12<br>1,793<br>5,877<br>@aspect-security/argon2<br>Argon2 password hashing (real package)<br>April 2026<br>1.0.1<br>74<br>333<br>argon2-napi<br>Argon2<br>April 2026<br>1.0.0<br>Not available<br>224<br>How the payloads run<br>Every package weaponizes the same npm feature: install-time scripts.<br>When you run npm install, npm downloads a package, unpacks it, and — before your code ever touches the library — runs any script the package author put in the preinstall or postinstall fields of package.json. Those scripts execute automatically, silently, with the same permissions as whoever ran npm install. On a developer laptop that’s you and your dotfiles. On a CI runner that’s the build account, often with cloud credentials and deploy keys attached.<br>postinstall is a legitimate npm feature. It exists so packages can compile native extensions or fetch platform-specific binaries after install. It’s also the single most abused mechanism in the npm ecosystem, because it converts any package installation into arbitrary code execution.<br>Almost everything in this campaign happens in the couple of seconds between npm install firing and the developer’s terminal returning to the prompt.<br>The bait and the payload live in separate files<br>Every one of the five AI-SDK packages has the same structure:<br>A src/ folder full of small, unremarkable TypeScript utility files (retry.ts, stream-to-string.ts, estimate-tokens.ts, and so on) — the shape of a normal helper library.
A well-written README.md with API tables, install snippets, and quickstart examples.
A package.json whose only script is:<br>"scripts": { "postinstall": "node scripts/postinstall.js" }
The real payload at scripts/postinstall.js — 461 lines, 16 KB, hand-written, non-obfuscated JavaScript.
The TypeScript in src/ is genuine, working code. It is not booby-trapped. It is also never called by the payload . It exists purely as an alibi for anyone who cracks open the tarball to see whether the package is legitimate. Nothing they see in src/ is malicious, because none of what’s malicious is in src/.<br>That separation matters. It means the malware succeeds even against developers who do their due diligence, because the code they audit is not the code that runs on install.<br>What the beacon collects<br>The postinstall.js file opens with a long comment block styled to look like a friendly telemetry policy. It claims the...