BLOG
Active Malware Campaigns in January-May 2026
We surfaced three trends about malware: npm and PyPI growing at similar rates, ATOs aren’t the only risk, and threat actors targeted non-developers.
By cb482791-4ef1-4762-96ad-b0ca4bdd538e ·
Earlier this month we published a blog (The Software Supply Chain Malware Landscape: January - May 2026) that covered trends in our data for the first half of the year. In this article, we drew from the same data set for a close look at campaigns and threat actor groups.
This chart shows the major campaigns from this time period.
We’ll start this analysis with two very active threat actor groups and their corresponding campaigns: Lazarus Group and TeamPCP.
Threat actor: Lazarus Group
Lazarus Group is a North Korean (DPRK) state-sponsored threat actor active since at least 2009, operating under multiple aliases across financially motivated and espionage-driven campaigns. Their open source supply chain activity is primarily focused on cryptocurrency theft, which funds North Korean state programs including weapons development. Attribution is high-confidence: payload families, infrastructure patterns, and tradecraft have been corroborated across years of independent research. See the #dprk tag for all associated threat reports, which total more than 2600 records across packages, GitHub repos, URLs, domains, IP addresses, and crypto wallets.
Contagious Interview Campaign
Active since 2023, Contagious Interview targets software engineers through fake recruiting outreach on platforms like LinkedIn, Fiverr, and Upwork, directing victims to clone malicious GitHub repositories under the pretense of a technical assessment. Originally these repos contained malicious npm dependencies or a malicious web app as the initial stage. In 2026, they pivoted to hiding the initial stage in a .vscode/tasks.json file, auto-installing malware much in the same way as an npm lifecycle script. Both tactics silently execute BeaverTail, a multi-stage loader that deploys InvisibleFerret, a Python backdoor capable of stealing cryptocurrency wallets, browser credentials, and SSH keys. OpenSourceMalware has tracked at least 11 distinct variants across 17+ repositories, with infrastructure rotating continuously in direct response to takedowns. The campaign spans npm, PyPI, Go, Cargo, and Packagist, following stolen credentials across registries as they are harvested. See the #contagious-interview tag for all associated threat reports.
TasksJacker / PolinRider Campaign
In 2026, OpenSourceMalware discovered two new Lazarus Group campaigns that compromised thousands of developers. While Contagious Interview is still active, these campaigns have become dominant.
Phase 1: Credential harvesting via TasksJacker
TasksJacker compromises developer machines by injecting malicious .vscode/tasks.json files into GitHub repositories, bypassing the social engineering step used in Contagious Interview entirely. When a developer clones a compromised repository and opens it in VS Code, the tasks file executes automatically with no further interaction required. The campaign compromised 400+ repositories across dozens of organizations, including DataStax, peaking at 39 repositories in a single day on January 29, 2026. Its most distinctive technical characteristic is a multi-blockchain C2 architecture spanning TRON, Aptos, and Binance Smart Chain, making infrastructure takedown through traditional domain seizure ineffective.
OpenSourceMalware discovered two sub-campaigns that were active in this period:
Fake Font: Buried the payload inside a
.woff2font file containing hex-encoded JavaScript rather than font data. The task executednode public/fonts/fa-brands-regular.woff2, which decoded and ran BeaverTail. The font file was chosen because it looks like a plausible web project asset that would never be inspected.Malicious Dictionary: Added a backup vector: a
spellright.dictfile containing 6KB of obfuscated JavaScript, formatted to mimic the legitimate SpellRight VS Code extension’s dictionary format. If a developer spotted and removedtasks.json, the fallback payload remained in place. This sub-campaign showed the threat actors actively anticipating defenders and building redundancy into their delivery.
Phase 2: Weaponization via PolinRider
PolinRider weaponizes credentials stolen by TasksJacker. The threat actor forks popular open source projects and submits malicious pull requests, injecting payloads into JavaScript config files that execute during builds but rarely receive scrutiny in code review. Targets included projects with 1 million+ combined GitHub stars, among them Microsoft VS Code, Apache Superset, Rails, LangFlow, and Expo. Three PRs were successfully merged into production repositories before detection. The same temp_auto_push.bat script and TRON C2 addresses appear in both campaigns, confirming they are two phases of a single operation. See the #polinrider tag for all associated threat reports.
Threat actor: TeamPCP
TeamPCP (also tracked as DeadCatx3, PCPcat, and ShellForce) is a financially motivated, cloud-native threat actor. In 2026, they rapidly upgraded their capability from opportunistic cryptomining into sophisticated multi-stage supply chain operations. Unlike other threat actor groups, TeamPCP openly claims attacks and has even given public interviews about their operations. See the #teampcp tag for nearly 400 associated threat reports that include packages, GitHub repos, domains, IP addresses and container images.
Unnamed March-April Campaign
Over roughly five days beginning March 19, 2026 (while many of us were at BSidesSF and RSAC), TeamPCP executed a cascading supply chain attack seeded by a single unrevoked credential retained from an incomplete rotation at Aqua Security. Using the aqua-bot service account’s PAT, they force-pushed malicious commits to 76 version tags across Trivy’s GitHub Actions repositories, distributing a credential-stealing payload to every CI runner that executed the action. npm publish tokens harvested from those runners fueled the CanisterWorm deployment across 66+ packages (more on CanisterWorm below). BerriAI’s CI pipeline for LiteLLM ran Trivy during the exposure window, handing TeamPCP the PyPI publishing token for the project’s co-founder. Two malicious LiteLLM versions followed on March 23-24, with the second adding a .pth file that Python’s site module executes on every interpreter startup. The Telnyx PyPI token was most likely swept in the same harvest. On March 27, two malicious Telnyx versions appeared on PyPI hiding the final payload inside WAV audio files. A parallel Checkmarx phase deployed nearly identical credential stealers into checkmarx/ast-github-action and checkmarx/kics-github-action, with malicious OpenVSX extensions published through a compromised Checkmarx account.
After a 26-day pause, TeamPCP resumed activity on April 22, with three simultaneous compromises within an 83-minute window: Poisoned the official Checkmarx KICS Docker Hub image, tampered with the checkmarx/ast-github-action workflow, and pushed malicious VS Code and OpenVSX extensions. Those Checkmarx credentials then became the pivot point for the campaign’s highest-profile victim: the Bitwarden CLI. Version 2026.4.0 of @bitwarden/cli appeared on npm on April 22 and remained available for approximately 90 minutes before it was detected and removed. The malware rewired both the preinstall hook and the bw binary entrypoint to a custom loader that downloaded a Bun runtime from GitHub and executed a credential-stealing payload, exfiltrating npm tokens, SSH keys, AWS credentials, GCP credentials, Azure Key Vault secrets, and GitHub Actions secrets.
CanisterWorm Malware
CanisterWorm is TeamPCP’s self-propagating npm worm. Its distinguishing characteristic is its C2 infrastructure: rather than using traditional domains or IPs, it polls an ICP Canister node for dynamic payload delivery every 50 minutes, making it resistant to standard domain seizure. Once installed via a malicious postinstall hook, it reads npm publish tokens from the victim’s environment, enumerates every package the compromised account can publish to, bumps patch versions, and republishes with the malicious payload intact. The initial burst compromised 28 packages in the @emilgroup scope in under 60 seconds; the full campaign reached 141 artifacts across 66+ packages. CanisterSprawl — an evolution of the CanisterWorm malware — hit npm, PyPI, and Docker Hub between April 21-23. See the #canisterworm tag for all associated threat reports.
Mini Shai-Hulud Campaign
Mini Shai-Hulud (not affiliated with the 2025 Shai-Hulud campaign) launched April 29, 2026, targeting high-download legitimate npm packages by compromising publisher accounts via stolen tokens. The malware injects a self-propagating worm that walks the victim’s accessible GitHub repositories and writes a malicious .vscode/tasks.json with a folderOpen trigger into up to 50 branches per repository, alongside a Claude Code SessionStart hook. The worm’s payload uses the Bun runtime downloaded from the official oven-sh release rather than Node.js, evading detection rules tuned to Node process trees.
The campaign opened with four core SAP CAP ecosystem packages on April 29. It escalated sharply the week of May 11 with 172 additional packages compromised, including the hugely popular TanStack package. The folderOpen persistence primitive is a direct lift from PolinRider’s tradecraft, crossing from a DPRK-aligned actor into a financially motivated one within two months of public documentation. In our previous blog on trends during this period, we highlighted a massive spike in ATOs around this time: they’re almost all attributable to this campaign. Access to TanStack enabled TeamPCP to poison a VS Code extension for Nx that was consumed by a GitHub employee, resulting in 5000 private repos getting exposed. See the #mini-shai-hulud tag for all associated threat reports.
Unattributed Attacks
OpenSourceMalware tracks threat actors on each threat report, allowing defenders to pivot across reports to understand the extent of an attack. We love knowing who’s behind an attack (no one likes this kind of mystery), but more importantly this intel is important for incident responders and analysts. But associating those anonymous threat actor accounts with known threat actor groups is a challenge. Unless a group claims an attack or is reusing unique tradecraft, security researchers often can’t make a reliable attribution.
Of all the malicious packages reported in this period, just 10.5% can be attributed to a known threat actor group:
4.7%: Lazarus Group (North Korean state-sponsored threat actor) was identified through years of corroborated infrastructure and payload research
5.8%: TeamPCP, confirmed through the group’s own public claims
89.5%: Malware without attribution
Glassworm Campaign
Glassworm has been targeting software developers since at least early 2025, first documented using malicious OpenVSX extensions. Experts (including us) theorize the threat actor group is likely Russian based on geofencing and other indicators. The campaign expanded steadily into 2026, escalating sharply in March 2026 with 72 additional malicious OpenVSX extensions, 151 compromised GitHub repositories, and malicious npm and Python packages. The 2026 activity all uses the same force-push git history rewriting technique documented in TasksJacker, but deployed independently. Its C2 infrastructure spanned four channels simultaneously: the Solana blockchain, BitTorrent DHT, Google Calendar, and direct servers. On May 26, Crowdstrike (with help from Google and the Shadowserver Foundation) did a take down of all four channels. That will slow down Glassworm but it’s probably not the last we’ve seen of them. See the #glassworm tag for all associated threat reports.
Axios Compromise
On March 30, 2026, unknown actors compromised axios via account takeover of the package’s npm maintainer. This was significant because this package averages millions of weekly downloads. Rather than modifying the package code, the attacker injected a malicious transitive dependency, plain-crypto-js. This technique bypasses direct dependency auditing entirely. The malware deployed cross-platform remote access trojans (RATs) using multi-stage payloads and heavy obfuscation, with C2 at sfrclak[.]com. See the #sfrclak tag for all associated threat reports.
Stardrop Campaign
Stardrop is an ongoing npm campaign first detected on April 9, 2026. The campaign published more than 320 novel packages (i.e. not ATOs) pretending to be a fictional AI coding agent, with names targeting AI companies, venture capital firms, and luxury brands. The packages use platform-specific optional dependencies containing pre-compiled binaries. On execution, they display a fake onboarding prompt asking for OpenAI or Anthropic API keys while harvesting credentials in the background. npm removed the packages rapidly, but there are confirmed instances persisting on Chinese and European npm mirrors. See the #stardrop tag for all associated threat reports.
Moika Campaign
Moika is named for oob[.]moika[.]tech, the C2 domain that’s shared by threats in this campaign. Beginning May 27, 2026, four npm accounts published 183 packages across nine scoped namespaces impersonating internal tooling at a Russian cloud platform provider, a financial institution (Sberbank), and the EMCD cryptocurrency exchange. The packages used a dependency confusion technique that inflated version numbers, crafted READMEs with fabricated internal registry URLs and Jira links, and postinstall hooks that exfiltrated full environment variables. A hardcoded X-Secret header value ties all four accounts to a single operator. The campaign is genuinely ambiguous in intent: the primary account, mr.4nd3r50n, has a documented bug bounty history on the same namespaces dating to April 2024, the payload ran in RECON_ONLY mode throughout, and two packages carried explicit “BugBounty testing” markers alongside active stealers. Whether this was an authorized security exercise that went too far, an unsanctioned research project, or a deliberate attack campaign is unknown. See the #moika tag for all associated threat reports.