The team at OpenSourceMalware have identified a new software supply chain attack on the npm ecosystem - dubbed “stardrop”. A series of malicious packages are masquerading as a new AI coding agent called stardrop - which were last published by the npm registry user arihant1 5 days ago, and have since been removed from the registry.
According to the OSM community threat database, the malicious package was reported minutes after being identified as containing a malicious payload on the 9th of April. Since the npm community did a great job in removing these suspicious packages from the registry so quickly, the OSV & GHSA advisories weren’t able to classify these packages in time. But that’s okay, since they have successfully been removed and pose no threat right now.
OSM scanned the binaries, and the payload appears to be infostealers focused on cloud and AI credential harvesting across AWS EC2 and Cloudflare R2 storage. These payloads are adjusted for Windows and MacOS environments. A list of affected npm packages are listed below:
A16z,abudhabi,acr-agent,addisababa,agentcoder,ai-pair,
allahabad,anaheim,andreessen,anyscale,appsmith,arbitrum,
arlington,asuncion,baltimore,bamako,bareilly,barnaul,baserow,
belfast,belgrade,berachain,bessemer-vc,bhopal,bhubaneswar,
bilbao,bito-ai,bolt-new,brussels,cardiff,cerebras-ai,chennai,
cline-ai,cnvrg,coatue,cocopilot,codeassistant,codebooga,
codecompanion,codeium,codemate,codepartner,codeqwen,
coderabbit,coderabbit-ai,codiga-ai,cody-ai,coimbatore,
continue-dev,coreweave,cortana,coveragent,cursor-ai,
dafny,dehradun,determined-ai,devika,dfjgrowth,dongguan,
dragonfly-vc,eindhoven,faridabad,felicis-vc,fireworks-ai,
foshan,founders-fund,foundersf,frankfurt,fukuoka,
gangtok,ggv-capital,ghaziabad,ghostty-cli,givenchy,
gothenburg,groq-ai,gurgaon,guwahati,hamburg,hanover,
helix-editor,howrah,huggingface-cli,imphal,inflection-ai,
instacart,irkutsk,isabelle,islamabad,jacksonville,jodhpur,
johannesburg,kamatera,kampala,kanpur,khartoum,khosla-vc,
kinshasa,kolkata,lamborghini,lapaz,lapce-editor,lille,
lmstudio-cli,louisville,louisvuitton,lovable-ai,luanda,
lucknow,lux-capital,madrid,madurai,mangalore,marseille,
matrixpartners,midjourney-ai,milwaukee,mogadishu,
mosaic-ml,multicoin-vc,munich,nashik,northface,nusmv,
ohmyzsh,omaha,paperspace,paradigm-vc,patagonia,
philadelphia,polychain,pondicherry,qingdao,rajkot,
redpoint-vc,reebok,rewind-ai,ribbit-capital,riyadh,
runpod,sacramento,saintpetersburg,sanjose,santaana,
seville,shenyang,smol-developer,socialcapital,
sourcepilot,sourcery-ai,squarespace,srinagar,starcoder,
stardrop-darwin-x64-baseline,stardrop-linux-arm64,
stardrop-linux-arm64-musl,stardrop-linux-x64,
stardrop-linux-x64-musl,stardrop-windows-x64,
stardrop-windows-x64-baseline,strasbourg,stuttgart,
supermaven,supermaven-ai,tabby-ai,tabnine-ai,
taskweaver,tianjin,tirupati,tiruppur,tolyatti,
tooljet,trivandrum,ujjain,upstartportal,utrecht,
v0-dev,vadodara,valentino,varanasi,versace,vijayawada,
visakhapatnam,warp-terminal,warsaw,webflow,wichita,
windsurf-ai,wizardcoder,ycombinator,zaragoza,zed-editorAs always, if you’re a Cloudsmith user, you can apply age-based (cooldown) policies to block newly published packages. In the case of the stardrop campaign, the malicious npm packages were all removed less than a day after the campaign began.
Blocking packages that are less than X number of days old is one of the most effective ways to stop this class of attack, giving security researchers (like our friends at OSM) time to identify the suspicious payload. In 2025, 99% of malicious npm packages were identified and officially verified within 72 hours, so implementing a simple cooldown policy significantly reduces this kind of attack vector.
