Cybersecurity Startup Published Infostealers to NPM
Seven NPM packages typosquatting Anthropic, OpenAI, LangChain and Vercel used postinstall scripts to exfiltrate git, SSH and cloud identity data. The publisher traces back to an Israeli security startup founder.
In late June 2026, a threat actor published at least seven packages to NPM within two days, impersonating Anthropic, LangChain, Ollama, OpenAI, Vercel, and Aspect Security. The packages amassed roughly 20,000 downloads, and research traced the publisher back to the founder of an Israel-based cybersecurity startup.
The packages weaponize npm's postinstall script feature: a script that runs automatically at install time harvests hostname and username, email addresses from git config files, GitHub CLI session data, committer emails pulled from the git reflog, the git remote URL, and comments from SSH public keys. All of this is bundled into a single HTTPS POST sent to the attacker's server.
The most notable technical detail is that the malicious code is fully separated from the legitimate, harmless TypeScript utility files in the src/ folder. Even developers who audit the source code never see the actual payload, which lives in postinstall.js and is never called from the visible code. A fake telemetry disclosure paired with a genuinely functional opt-out environment variable gives security-conscious developers a false sense of control.
The case illustrates how social engineering and technical obfuscation can be combined in supply-chain attacks, and reaffirms that npm's postinstall scripts remain a critical, underscrutinized attack surface.