Sonatype has identified a campaign involving 176 malicious npm packages apparently designed to win dependency resolution over internal software components.
The packages were published with unusually high version numbers, including 99.99.99, to exploit dependency confusion in development environments that are not properly configured. In those cases, npm may choose a public package over a private or internal one if the public version number is higher.
Sonatype's research team found embedded postinstall scripts that ran automatically during installation. The scripts fingerprinted the host environment, downloaded a platform-specific JavaScript payload, conducted further reconnaissance and data exfiltration, and then retrieved a second-stage binary for execution.
The malware sought usernames, hostnames, operating system and architecture details, working directories, Node.js runtime information, environment variables, CI/CD secrets, authentication tokens, and other credentials. The campaign targeted Windows, macOS, and Linux systems with different payloads for each platform.
Some Linux and macOS binaries have already triggered antivirus detections, while the Windows payload has fewer detections. Sonatype also observed detached background execution intended to continue beyond the installation process, along with Russian-language comments in parts of the code.
Version tactic
The use of version numbers such as 99.99.99, 9.9.9, 9.9.10, 10.10.10, and 11.11.11 suggests a strategy aimed at automated package selection rather than human deception. The campaign relied on package managers following semantic version rules and namespace assumptions within software development and build workflows.
The approach reflects a broader shift in software supply chain attacks toward the mechanics of build systems and dependency management. Rather than persuading developers to download a malicious file directly, attackers aim to have software tooling retrieve and run it automatically.
The scale of the operation was a notable feature. A coordinated set of 176 packages suggests planning, automation, and preparation rather than isolated experimentation.
Install risk
The attack also highlights the risks of npm's postinstall feature, which allows code to run at installation time. In legitimate use, it supports software setup tasks. It also gives attackers an execution point that can activate before a developer notices suspicious activity.
If one of the malicious packages reaches a developer workstation or a continuous integration environment, an attacker may be able to harvest cloud credentials, signing keys, deployment tokens, and other secrets stored in environment variables or accessible during the build process. A compromised build agent can then become a route into the wider software supply chain.
Ilkka Turunen, Field Chief Technology Officer at Sonatype, said the attack shows how software supply chain methods are changing. "This campaign shows how software supply chain attacks have evolved beyond tricking developers and into manipulating the automation developers rely on every day. The attackers are aiming to trick the developer's system into automatically downloading a component with an extremely high version number like 99.99.99 named similarly to their internal components. What makes this dangerous is that modern build systems execute enormous amounts of third-party code automatically and without oversight during installation. Once a malicious package reaches a developer workstation or CI pipeline, it is too late. The attacker is hunting for the most valuable assets in the environment: credentials, signing keys, cloud access, and deployment tokens. The bigger lesson is that software supply chain defence has to happen before components enter the build process. After a postinstall script starts beaconing credentials out of a CI environment, organisations are already operating in incident response mode."
Immediate checks
Systems where any of the identified packages were installed should be treated as potentially compromised. Sonatype advised organisations to identify affected hosts, rotate exposed credentials and tokens, review CI/CD secrets and environment variables, investigate outbound network traffic, check for persistent secondary payloads, and verify protections around internal package namespaces and npm registry resolution order.
Sonatype is tracking the activity under the identifier Sonatype-2026-003429. Attribution remains unconfirmed, and the campaign is under active investigation.