Sonatype Security Research has identified a potential compromise of a trusted npm maintainer account that has now published two malicious npm packages — sbx-mask and touch-adv — designed to exfiltrate secrets from victims' computers.
The evidence strongly suggests account takeover of a legitimate publisher, rather than intentional malicious activity. Sonatype did not observe any indication that these were test packages, though touch-adv has now been removed. Hijacked publisher accounts are particularly concerning as, over time, maintainers build trust with the users of their components. Attackers aim to take advantage of that trust in order to steal valuable, or profitable, information.
We reported the incident to npm on March 19, 2026, to GitHub's Security Incident Response Team (SIRT), which is responsible for handling security issues across npm and related services.
Sonatype is tracking these malicious npm packages under Sonatype-2026-001276 and Sonatype-2026-001275 and will continue to monitor for additional publications. The npm malware campaign is considered active and under investigation, and attribution remains unknown at this time.
The sbx-mask package was quickly determined to be malicious due to its clear exfiltration behavior. Further investigation revealed that multiple npm packages shared similar exfiltration patterns, but differed in how and when their payloads were executed:
| Package | Execution | Payload Behavior | Exfiltration Method |
| sbx-mask | Runs automatically via postinstall script | Collects environment variables and formats them into JSON | Sends data via curl to a webhook.site endpoint |
| touch-adv | Executes when application code is invoked (not on install) | Reads TRACE_ID, collects and formats environment variables | Sends data via POST request to email ethan@vm0.ai via agentmail |
The sbx-mask package uses a postinstall script to immediately execute its payload upon installation, increasing the likelihood of rapid credential exposure.
In contrast, touch-adv does not automatically execute. Instead, it embeds malicious logic within the application code itself, requiring the package to be invoked before the payload runs.
This distinction is notable. Rather than relying solely on install-time execution, attackers are increasingly embedding malicious code deeper within npm packages to evade detection. By delaying execution until runtime, these techniques make the malware less obvious during standard dependency inspection.
At a technical level, malicious npm packages embed their payload within application code, typically inside the index.js file. This code executes either during installation or when the package is imported into an application.
Once executed, the malicious script performs a series of actions designed to harvest and exfiltrate sensitive data, including:
Collecting environment variables from the host system.
Accessing sensitive credentials such as API keys, authentication tokens, and cloud service secrets.
Transmitting the collected data to attacker-controlled endpoints, including webhook services and hard-coded email addresses.
Because environment variables are widely used to manage secrets in development and production environments, this type of attack can lead to serious downstream compromise. Exposed credentials may enable attackers to access cloud infrastructure, manipulate CI/CD pipelines, or move laterally across systems within an organization.
One of the most significant aspects of this npm malware campaign is, if malicious and not in fact a test, its reliance on trusted maintainer accounts. Rather than creating new packages or impersonating popular libraries, the attackers appear to have taken control of accounts with established credibility in the npm ecosystem. This dramatically increases the likelihood that developers will install affected packages without suspicion.
Additionally, the attackers employed multiple exfiltration techniques, including both webhook-based collection and direct email transmission. This dual approach increases the resilience of the campaign and suggests a level of planning beyond opportunistic attacks.
The timing of the package publications is also noteworthy. Multiple malicious versions appeared within a narrow window of time, indicating either automated exploitation or coordinated access to multiple accounts.
This npm malware campaign primarily targets developers and organizations that rely on npm packages as part of their SDLC. Any system that installs and executes npm packages may be at risk, especially those where sensitive credentials are exposed via environment variables.
High-risk targets include:
CI/CD pipelines and automated build systems.
Cloud-based deployment environments.
Local developer machines with access to credentials and tokens.
In these contexts, a single compromised package installation can expose secrets that grant attackers access to broader infrastructure, increasing the potential for downstream compromise across an organization.
If you have downloaded sbx-mask or touch-adv, assume sensitive information may have been exposed and investigate immediately. Although touch-adv has been removed from npm, it may still exist in cached environments or internal registries.
Additional indicators include unexpected outbound network activity during package installation or execution, especially connections to webhook services or unusual email-based data transfers. Code-level indicators include scripts that access process.env and transmit its contents externally.
Known exfiltration endpoints observed in this npm malware campaign include webhook.site URLs and the email address ethan@vm0.ai.
Act quickly. If either package has been ingested, remove it immediately and rotate all potentially exposed credentials without delay. This includes API keys, authentication tokens, and any secrets stored in environment variables.
It is also important to review system and CI/CD logs for unusual activity, particularly outbound network requests that could indicate data exfiltration. In addition, teams should verify that dependencies are correctly named, as attackers may attempt to exploit confusion or impersonation alongside account compromise.
More broadly, organizations should adopt practices that reduce reliance on long-lived credentials and limit the exposure of sensitive environment variables wherever possible.
As software supply chain attacks evolve, attackers increasingly target trusted maintainers, rather than rely on obvious fake packages, making detection significantly more difficult without automated tooling.
With Sonatype Guide, developers gain real-time intelligence to identify malicious or risky packages before they are introduced into their environments. This helps teams, and the AI agents that support them, autonomously manage dependencies and keep AI-assisted workflows secure.
Sonatype will continue to monitor this campaign and share updates as new intelligence emerges.