npm Supply Chain Worm Harvests Developer Credentials, Persists After Package Removal

A sophisticated supply chain attack campaign has compromised 172 npm and PyPI packages since May 11, embedding a credential-harvesting worm that survives package removal on affected development workstations. Security researchers warn that any environment that installed or imported these packages should be treated as compromised. The campaign, attributed to the TeamPCP threat actor, represents a significant escalation in software supply chain attacks, specifically targeting the development tools and credential stores that underpin modern software infrastructure.

The worm harvests credentials from over 100 file paths, including AWS keys, SSH private keys, npm tokens, GitHub personal access tokens, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell history, and cryptocurrency wallets. Notably, this campaign marks the first time TeamPCP has targeted password managers, specifically 1Password and Bitwarden. The attack also steals Claude and Kiro AI agent configurations, including MCP server authentication tokens for every external service an AI agent connects to—suggesting attackers are adapting to target the emerging AI-assisted development workflow.

Critically, the worm does not leave when the malicious package is removed. It establishes persistence through modifications to Claude Code settings (.claude/settings.json) and VS Code task configurations (.vscode/tasks.json with runOn: folderOpen), ensuring re-execution every time a project is opened. Additionally, it installs a system-level daemon—a macOS LaunchAgent or Linux systemd service—that survives reboots. Security teams managing development environments, CI/CD pipelines, and cloud infrastructure face immediate pressure to audit their toolchains and credential storage practices, as exposed access tokens could enable lateral movement into production systems.