In May 2022, a threat actor bought the expired PyPI project name "ctx," pushed a version that read every environment variable on the installing machine, and quietly POSTed the results — including AWS access keys — to a Heroku app. The same technique hit the PHP package "phpass" on Packagist within days. Four years later, credential theft is no longer a side effect of supply chain compromise; it is the business model. From the 2023 W4SP Stealer campaign that hit hundreds of PyPI typosquats to the September 2025 Shai-Hulud npm worm that scanned infected machines with TruffleHog and exfiltrated secrets to public GitHub repositories, attackers have converged on package registries as the highest-leverage place to harvest credentials at scale. This post breaks down exactly what these packages go after, the exfiltration channels they use to slip past network monitoring, and how Safeguard detects them before install.
What Data Do Credential-Stealing Packages Actually Target?
They target anything that authenticates a developer, a CI pipeline, or a cloud account, because that access is worth far more than a single stolen password. The 2022 "ctx" and "phpass" compromises specifically harvested os.environ, which on most developer and CI machines contains AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, database connection strings, and API tokens for services like Stripe or SendGrid — all in plaintext, all readable by any code that runs during pip install. The 2023 W4SP Stealer campaign, distributed through PyPI packages typosquatting popular libraries, went after Discord authentication tokens, saved browser passwords and autofill data, and cryptocurrency wallet files from apps like Exodus and Atomic Wallet. The July 2022 "IconBurst" npm campaign took a different angle: roughly two dozen packages typosquatting names like "ionic" embedded obfuscated JavaScript that scraped form submissions — names, emails, passwords, payment card numbers — directly out of production web and mobile apps that had bundled the malicious code. The common thread across all three is that the package never needed to compromise a server; it just needed to run once, at install time or at runtime, with the ambient privileges the developer or CI system already had.
How Did Attackers Turn a Single Compromised Package Into Thousands of Leaked Secrets?
They did it by targeting the CI/CD layer instead of individual laptops, because one compromised pipeline can leak secrets for every project it touches. The September 2025 Shai-Hulud worm is the clearest example: it compromised npm packages — including ones published under legitimate, high-profile scopes — and, once installed, ran the open source secret-scanning tool TruffleHog against the local filesystem and environment to harvest npm tokens, GitHub personal access tokens, and cloud credentials. It then used any stolen npm publishing token to inject the same malicious payload into other packages the compromised maintainer controlled, spreading worm-style across the registry, while pushing stolen secrets to publicly accessible GitHub repositories named after the campaign itself. Security researchers tracking the incident identified the payload in several hundred npm packages before registry operators could pull them. Because the worm specifically hunted for NPM_TOKEN and GITHUB_TOKEN values sitting in CI environment variables, a single developer running npm install inside a build pipeline could hand attackers the keys needed to publish malicious updates to every package that developer maintained.
What Exfiltration Channels Do These Packages Use to Avoid Detection?
They favor destinations that look like normal developer traffic on a corporate network, because a request to a well-known SaaS domain rarely trips a firewall rule the way a raw connection to an unknown IP would. The "ctx" and "phpass" incidents sent stolen environment variables to a Heroku app URL — traffic indistinguishable from a legitimate API call to a hosted service. W4SP Stealer and many of the Discord-token-focused PyPI typosquats of 2022-2023 exfiltrated over Discord webhooks, posting stolen data as a message in an attacker-controlled channel, which rides on HTTPS traffic to discord.com that most egress filtering allows by default. Shai-Hulud went further, using the GitHub API to create public repositories under victims' own compromised accounts and writing exfiltrated secrets directly into them — meaning the "malicious" destination was, from a network monitoring standpoint, github.com itself. Other campaigns tracked by researchers at ReversingLabs and Phylum have used Telegram bot APIs and DNS queries to smuggle small amounts of data out even when outbound HTTP is restricted. The pattern across all of these: attackers choose infrastructure your monitoring already trusts.
Why Do npm and PyPI Token Stealers Matter More Than Ordinary Password Stealers?
They matter more because a stolen publishing token doesn't just expose one victim, it gives the attacker a distribution channel to every downstream consumer of that maintainer's packages. A stolen Discord password affects one account. A stolen NPM_TOKEN or PyPI API token lets an attacker push a new, malicious version of a package that thousands of other projects pull in automatically via version ranges like ^1.2.0. This is exactly the mechanism Shai-Hulud exploited in 2025 and that the 2021 ua-parser-js compromise exploited before it, when a hijacked maintainer account was used to publish versions containing a cryptominer and a password-stealing trojan to a package downloaded millions of times per week. The blast radius of a token-theft package is therefore not "one developer's machine" — it's every CI pipeline, container build, and production deploy that resolves the compromised package version before the malicious release is caught and pulled.
How Do Browser and Crypto Wallet Stealers Operate Inside a Package?
They operate by reading local application storage the same way the legitimate browser or wallet software does, then shipping it out before anyone notices the extra network call. Info-stealers bundled into typosquatted packages — a pattern documented repeatedly in PyPI and npm malware reports from Checkmarx, Phylum, and Socket through 2023 and 2024 — locate the SQLite databases Chrome and Firefox use to store saved passwords and cookies, decrypt them using the same OS-level keys the browser itself uses, and copy wallet.dat or keystore files from known crypto wallet install paths. Because this logic runs as an install or postinstall script the moment npm install or pip install executes, it needs no user interaction and no follow-on exploit — the package manager itself is the delivery mechanism. Some variants, consistent with the W4SP family, also grab Discord's local storage token cache, which lets an attacker take over gaming and community accounts without ever needing a password.
How Safeguard Helps
Safeguard treats every new and updated open source package as untrusted until proven otherwise, which is the only posture that catches attacks like these before install rather than after disclosure. Our scanning pipeline flags install/postinstall scripts and obfuscated code paths that read environment variables, browser profile directories, or known wallet file paths — the exact behavior seen in the ctx, IconBurst, and W4SP incidents — and blocks the install before secrets ever leave the machine. We separately monitor for the network-behavior fingerprints of credential exfiltration: unexpected outbound calls to webhook endpoints, PaaS app URLs, or the GitHub API from a package that has no legitimate reason to make them, which is how Shai-Hulud-style token theft gets caught even when the destination domain is itself trusted. Because token theft is only dangerous if the stolen token still works, Safeguard also tracks publisher identity and version-history anomalies — a maintainer account suddenly publishing from a new location, or a patch release that changes install scripts without a corresponding source diff — so a hijacked account triggers an alert before it can worm through a dependency tree the way ua-parser-js and Shai-Hulud did. The goal is to close the exact window these campaigns depend on: the gap between a malicious package landing in a registry and a human noticing.