Skip to content
supplychainattack.orgSupply chain attack incident catalog

Malicious npm Packages Impersonate AI and MCP Tooling

A wave of malicious npm packages flagged July 7-8, 2026 impersonates AI, MCP, and crypto developer tools to steal credentials and inject rogue MCP servers.

Published 6 min read
npmmalwareaimcpcredential-theftsupply-chain

On July 7 and 8, 2026, we recorded a fresh batch of malicious npm packages, and the pattern is hard to miss. A large share of them impersonate AI and Model Context Protocol (MCP) developer tools. Names like anthropic-toolkit, mcp-server-pg, @langgraphjs/toolkit, openai-agents-helpers, and ollama-helpers sit next to typosquats of everyday build tooling such as nodemon-node and ts-await. These malicious npm packages follow tradecraft that researchers have tracked across the registry all through 2026, now pointed squarely at developers building AI agents.

What happened

Across those two days we flagged 25 npm packages as malware. The two newest, nodemon-node and ts-await, were added on July 8. The rest were added on July 7. Per-package version numbers, publisher accounts, and download counts for this specific wave are still being confirmed, so treat any single figure as provisional until the registry data settles.

The set splits into three clusters:

  • AI and MCP tooling impersonation: anthropic-toolkit, mcp-server-pg, @langgraphjs/toolkit, openai-agents-helpers, and ollama-helpers. These names mimic packages a developer wiring up an AI agent or an MCP server would plausibly type.
  • Crypto and wallet bait: crypto-base58, solana-address-codec, and tx-guard-snap. This cluster follows the long-running pattern of npm malware aimed at wallet keys and signing material.
  • Typosquats and lookalikes of popular libraries: zod-pino434, zod-pino444, chai-chain-dom, express-firegate, express-deflect, nuxt-fonts-devtools, jsf-utils, debugcli, notifier-utils, some-theme, hook-augmenting-module, @apexcraft/nano-key, @43uh3ig43/telemetry-client, @engagehub/core, and @engagehub/test-claim.

The clusters may not share a single operator. Same-day flagging groups them by discovery date, not by attribution. What ties the AI cluster to the wider story is the target selection, which matches documented 2026 activity.

Why AI and MCP tooling is the target

MCP is the protocol that connects AI assistants to external tools and data. An MCP server is a small process that an assistant like Claude or Cursor calls to read files, query databases, or hit APIs. That makes an MCP package an ideal delivery point: it runs on the developer's machine, it is expected to touch local files and secrets, and its behavior is opaque to the human using the assistant.

Attackers noticed this early. OX Security reported an npm worm that steals tokens, environment variables, and API keys, and that injects malicious MCP servers into developer tooling as it spreads. The Hacker News documented a module its authors called "McpInject" that deploys a rogue MCP server and registers three innocuous-looking tools, each carrying a prompt injection that instructs the assistant to read files like ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.npmrc, and .env, then stage them for exfiltration. That report lists Claude Code, Claude Desktop, Cursor, and Visual Studio Code as targets. The July AI cluster is the same idea packaged under new, believable names.

How the attack works

The mechanics are consistent across the 2026 campaigns, even when the branding changes.

  • Install-time execution. A postinstall lifecycle script runs the moment the package lands, before any of your code imports it. Microsoft's analysis of a May 2026 dependency-confusion campaign described the payload as a 7 to 13 KB obfuscator.io-style stager using string-array encoding and control-flow flattening.
  • Credential harvesting. The stager sweeps for SSH keys, cloud credentials, npm and GitHub tokens, and .env files, then exfiltrates them.
  • MCP injection. Where an AI assistant is present, the payload writes or edits MCP configuration so a malicious server is loaded on the next session, giving the attacker a persistent foothold that survives the package being removed.
  • Optional worm behavior. Part of this year's activity self-propagates. Palo Alto Networks' Unit 42 tracked the Shai-Hulud worm and its April 29, 2026 successor known as Mini Shai-Hulud, attributed to a cluster it calls TeamPCP, which uses the registry as a force multiplier by republishing the payload through any maintainer credentials it captures.

Timeline of the 2026 npm campaign

  • April 22, 2026: Socket flagged Namastex.ai packages, including @automagik/genie@4.260421.36, as TeamPCP-style Canister Worm activity with exfiltration and self-propagation aimed at specialized developer workflows.
  • April 29, 2026: Unit 42 dated the start of the Mini Shai-Hulud wave.
  • May 14, 2026: StepSecurity reported three malicious node-ipc versions (9.1.6, 9.2.3, and 12.0.1), each carrying an identical 80 KB obfuscated credential stealer. node-ipc has over 10 million weekly downloads.
  • May 28 to 29, 2026: Microsoft detailed 33 packages published under spoofed organization scopes with inflated versions such as 99.0.7 and 100.100.100 to win npm's dependency resolution.
  • June 1, 2026: Unit 42 reported at least 32 packages compromised under the @redhat-cloud-services namespace, carrying a payload named Miasma.
  • July 7 to 8, 2026: the wave described here, weighted toward AI and MCP tooling impersonation.

Who is affected

The people most exposed are Node and JavaScript developers who install packages by name while building AI features, especially anyone standing up MCP servers or agent frameworks. Machines running Claude Code, Claude Desktop, Cursor, or VS Code with MCP enabled are the specific prize because the injection turns a one-time install into ongoing access.

CI and build systems are next. A postinstall script in a pipeline runs with whatever secrets the job holds, which is usually cloud keys, registry tokens, and deploy credentials. Crypto developers who pulled crypto-base58, solana-address-codec, or tx-guard-snap should assume wallet material was a target.

How to check if you are affected

Start by checking whether any flagged name is in your tree. Adjust the list to the packages relevant to you.

npm ls anthropic-toolkit mcp-server-pg @langgraphjs/toolkit openai-agents-helpers \
  ollama-helpers nodemon-node ts-await crypto-base58 solana-address-codec tx-guard-snap

Grep the lockfile directly, since a transitive dependency can pull one in without it showing at the top level:

grep -E "anthropic-toolkit|mcp-server-pg|langgraphjs/toolkit|openai-agents-helpers|ollama-helpers|nodemon-node|ts-await|crypto-base58|solana-address-codec|tx-guard-snap" package-lock.json

If you use an AI assistant, inspect its MCP configuration for servers you did not add:

cat ~/Library/Application\ Support/Claude/claude_desktop_config.json 2>/dev/null
cat ~/.cursor/mcp.json 2>/dev/null

Finally, review recent CI job logs for outbound network calls during the install phase and for reads of ~/.ssh, ~/.aws/credentials, ~/.npmrc, or .env.

Remediation

If you find a match, treat it as a credential compromise, not just a bad dependency.

Remove the package and reinstall cleanly with scripts disabled:

npm uninstall <package-name>
rm -rf node_modules package-lock.json
npm install --ignore-scripts

Set ignore-scripts as a default going forward, keeping in mind it is a partial control:

npm config set ignore-scripts true

Then rotate everything the payload could have read: SSH keys, cloud provider keys, npm and GitHub tokens, and any secret that lives in a .env file or a CI variable. Remove any MCP server you did not add, restart the assistant, and confirm the config stays clean. In CI, invalidate the job's tokens and check downstream systems those tokens can reach.

Attribution for this specific July wave is not established publicly at the time of writing. The safe assumption is that it continues the year's pattern, so pin known-good versions and avoid automatic upgrades on the affected scopes until the registry data is confirmed.

FAQ

Is nodemon-node safe to use?

No. It is not the popular file-watcher, which is published as nodemon. nodemon-node is a lookalike we flagged as malware on July 8, 2026. Uninstall it, use the real nodemon, and rotate any secrets that were on the machine during the install.

How do I know if I am affected by this npm malware wave?

Run npm ls and grep your lockfile for the flagged names, then check your AI assistant's MCP config for servers you did not add. If any match, assume the credentials reachable from that machine or CI job are exposed and rotate them.

What is an MCP injection attack?

It is when malware edits an AI assistant's Model Context Protocol configuration to load an attacker-controlled server. That server can register tools whose descriptions contain prompt injections telling the assistant to read local secrets and send them out, which keeps working even after you remove the original package.

Does npm's ignore-scripts flag stop this?

It helps but it is not complete. Reporting summarized by TechTimes notes documented bypasses, including packages that use native extensions via binding.gyp, and CVE-2025-69263, where a malicious .npmrc in a git dependency can override the git binary. Use ignore-scripts, and pair it with behavior monitoring and dependency pinning.

Sources

  1. The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) · Palo Alto Networks Unit 42
  2. Namastex.ai npm Packages Hit with TeamPCP-Style Canister Worm · Socket
  3. Newly discovered NPM worm is hijacking CI workflows and targeting AI-based packages · OX Security
  4. Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens · The Hacker News
  5. Malicious npm packages abuse dependency confusion to profile developer environments · Microsoft Security Blog
  6. Active Supply Chain Attack: Malicious node-ipc Versions Published to npm · StepSecurity