Malicious maintainer incidents
6 confirmed incidents involving the malicious-maintainer technique.
- containedhigh
400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security
On June 11, 2026, attackers hijacked over 400 packages in the Arch User Repository (AUR), converting them into a malware delivery network. The "Atomic Arch" campaign represents a large-scale compromise of developer accounts or package maintainers within the Arch Linux ecosystem.
Atomic ArchOtherAccount takeoverMalicious maintainer - activecritical
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave
TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.
TeamPCPnpmOtherAccount takeoverCompromised packageMalicious maintainer - containedcritical
TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
The xinference package on PyPI was compromised with a two-stage credential stealer attributed to the TeamPCP threat actor. The malicious code was injected into the package, potentially affecting users who installed compromised versions.
TeamPCPPyPICompromised packageMalicious maintainer - containedhigh
lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel
The lightning PyPI package versions 2.6.2 and 2.6.3 were compromised on April 30, 2026, containing obfuscated JavaScript code designed to steal credentials. The project's GitHub account showed signs of compromise, with suspicious responses closing vulnerability reports.
Mini Shai HuludPyPICompromised packageMalicious maintainer - resolvedcritical
Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack
StepSecurity detected a compromise of axios, described as the largest npm supply chain attack on a single package by download count. A state-sponsored threat actor is reported to have actively suppressed warnings by deleting GitHub issues. Detection occurred before public disclosure.
UNC1069npmCompromised packageMalicious maintainer - activecritical
Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor
Three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, solidity-linux) containing obfuscated backdoors targeting Solidity and Web3 developers across Windows, macOS, and Linux. The backdoors download remote payloads and establish persistence mechanisms on infected systems.
Container registryOtherCompromised packageMalicious maintainer