npm: 12 Malicious Packages in 'Dev-Tool' Campaign Drop Within 14 Minutes
On May 22–23, 2026, 12 malicious npm packages impersonating developer utilities were disclosed within a 14-minute window, all registered within the prior week and executing commands associated with malicious behavior.
Key findings
- 12 malicious npm packages disclosed within a 14-minute window on May 22–23, 2026
- Packages impersonate developer utilities including AI/LLM tools, build scripts, and project initializers
- 5 packages confirmed to execute malicious commands via post-install scripts
- Includes 'chai-as-repaired', a typosquat of the popular 'chai' testing library (13M+ weekly downloads)
- All packages were registered within the week prior to disclosure, suggesting automated campaign tooling
- Combined ~40,000 weekly downloads indicate real-world installation before takedown
Coordinated Drop of 12 Malicious npm Packages
On May 22–23, 2026, security researchers disclosed 12 malicious npm packages in a tightly coordinated burst spanning just 14 minutes (23:58 UTC to 00:12 UTC). The packages, all registered within the preceding week, masquerade as legitimate developer tooling — build utilities, project initializers, environment bootstrappers, and AI/LLM workflow helpers — and several have been confirmed to execute malicious commands upon installation.
The Campaign Signature
While the 12 packages lack a single shared npm scope or naming prefix, they follow a clear thematic pattern: each name mimics a plausible developer utility. Representative examples include:
async-pipeline-builderbuild-scripts-utilsdev-env-bootstrapperproject-init-toolsnode-setup-helpersllm-context-compressor
Other packages in the batch include prompt-engineering-toolkit, token-usage-tracker, workspace-config-loader, model-switch-router, loading-session, and chai-as-repaired — the last being a typosquat of the popular testing library chai (which sees over 13 million weekly downloads). The names suggest the threat actor targeted developers working across DevOps, AI/LLM pipelines, and Node.js project scaffolding — a broad net cast to maximize accidental installation.
Malicious Behavior
OpenSSF Package Analysis flagged five of the 12 packages for executing one or more commands associated with malicious behavior: prompt-engineering-toolkit, build-scripts-utils, token-usage-tracker, dev-env-bootstrapper, and llm-context-compressor. While the specific payloads vary, the behavioral pattern is consistent with post-install script execution — a common vector for npm supply-chain attacks that runs code automatically when a package is installed via npm install.
The extracted IOCs from behavioral analysis include references to api.jsonstorage.net, a domain that could serve as an exfiltration endpoint, alongside Node.js primitives like https.request and https.get that would enable outbound communication. The presence of config.json and claude.md references aligns with the AI/LLM theme of several package names, suggesting the malware may target API keys or configuration files for AI services.
Severity and Impact
The GitHub Security Advisories (GHSA) for these packages carry the standard severe warning: any computer that installed one of these packages should be considered fully compromised. All secrets and API keys stored on the affected machine — including npm tokens, cloud credentials, and environment variables — should be rotated immediately from a separate, trusted machine. The packages have accumulated a combined total of roughly 40,000 weekly downloads, indicating real-world adoption before takedown.
Detection and Response
Developers should audit their package-lock.json or yarn.lock files for any of the following package names:
async-pipeline-builder build-scripts-utils dev-env-bootstrapper llm-context-compressor prompt-engineering-toolkit token-usage-tracker chai-as-repaired loading-session model-switch-router node-setup-helpers project-init-tools workspace-config-loader
If any are found, assume the environment is compromised. Rotate all credentials, review npm token logs for unauthorized publishes, and consider rebuilding from a clean base image. The chai-as-repaired typosquat is especially dangerous given its resemblance to the widely used chai assertion library — developers should verify they are depending on the legitimate chai package (published since 2012) and not this imposter.
Broader Context
This burst is the latest in a growing trend of coordinated, high-volume malicious package drops on npm. The registration of all 12 packages within a single week — and their disclosure within a 14-minute window — points to automated tooling and a pre-planned takedown response. The targeting of AI/LLM-related tooling names is a notable evolution, reflecting the rapid adoption of large language models in development workflows and the corresponding interest from threat actors in stealing API keys and model-access credentials. As developer tooling ecosystems continue to expand into AI, supply-chain defenders will need to watch for these thematic campaigns that exploit the latest development trends.