Sonatype Security Research has identified two malicious npm packages — sbx-mask and touch-adv — that appear to result from a compromised maintainer account rather than intentional malicious creation. The packages were designed to extract sensitive credentials from users' systems.
The discovery suggests attackers targeted a trusted npm publisher to exploit the credibility established with developers. Sonatype reported the incident to npm and GitHub's Security Incident Response Team on 19 March 2026.
Technical Details
sbx-mask executes automatically via a postinstall script, collecting environment variables and transmitting them to a webhook.site endpoint using curl. touch-adv delays execution until application code invocation, reading TRACE_ID and environment variables, then sending data via POST request.
The distinction is significant: rather than relying solely on install-time execution, attackers are increasingly embedding malicious code deeper within npm packages to evade detection.
Attack Vector
Both packages harvest environment variables containing API keys, authentication tokens, and cloud service secrets. This targeting of CI/CD pipelines, cloud deployments, and developer machines poses substantial risk for downstream infrastructure compromise.
Response Recommendations
Organisations affected should immediately remove these packages, rotate all potentially exposed credentials, and review system and CI/CD logs for suspicious outbound network activity. Verification of dependency naming accuracy is also essential.
The incident underscores a broader trend: attackers are increasingly targeting upstream code to gain downstream access at scale. Even relatively obscure packages can act as entry points into CI/CD pipelines, developer machines, and production systems. Traditional perimeter security alone is no longer sufficient — organisations need proactive supply chain security, including continuous dependency monitoring, behavioural analysis, and tighter controls over third-party code.
