The Rise of Invisible Package Attacks and the Next Wave of Software Supply Chain Exploits

How Stealth Dependency in Ecosystems Like npm and PyPI Reshape the Threat Landscape for Developers and Global Software Infrastructure

These days, the entry point for most supply chain attacks is not just a zero day vulnerability–it is a compromised account. Package maintainers on registries like npm and PyPI hold high leverage over global software infrastructure–but with this, one single stolen token can poison packages with hundreds of millions of weekly downloads, granting threat actors immediate execution inside enterprise build environments and developer workstations. What has changed in package attacks are new methods and techniques that come from the rise of AI. Threat actors now combine AI powered phishing, automated slopsquatting, and self propagating worms to scale operations that used to require more significant manual effort, all while making their attacks invisible toward victims.

AI Phishing and the Maintainer Credential Problem

Artificial intelligence has fundamentally changed how credential harvesting works against high value package maintainers. According to the Microsoft Digital Defense Report 2025, AI automated phishing campaigns achieved a 54% click through rate compared to 12% for non AI attempts, with the potential profitability of phishing operations increasing by up to 50 times. The Register reported a 45x improvement in phishing effectiveness as a result. Nation state actors have rapidly adopted these techniques, escalating from zero documented samples of AI generated content from nation state actors in July 2023 to approximately 225 samples by July 2025.

To bypass enterprise security controls, attackers abuse trusted cloud infrastructure signals. Recent callback phishing campaigns abuse Microsoft Azure Monitor alerts by inserting malicious lures into the customizable description field of alert rules. Because the emails originate from azure-noreply@microsoft.com, they pass standard SPF and DKIM authentication checks and reach technical targets unopposed.

These techniques directly fuel ecosystem compromises. In September 2025, attackers impersonated npm support using the fraudulent domain support@npmjs.help and deployed an adversary in the middle framework to intercept the credentials and live TOTP of a high profile npm maintainer named Qix. The resulting account takeover allowed attackers to publish malicious updates to 18 popular packages which were downloaded more than 2.5 million times, deploying cryptocurrency draining malware into downstream browsers. Only $500 was stolen, but this displays how phishing remains one of the most effective entry points for large scale supply chain attacks. The Shai-Hulud 2.0 campaign later used a similar targeted phishing operation to compromise additional maintainer accounts, then automatically backdoored every package those maintainers maintained, parallelizing the process across up to hundreds of packages simultaneously.

Automated Slopsquatting and AI Toolchain Poisoning

As developers increasingly rely on AI for code generation and agentic workflows, threat actors have found ways to weaponize the AI layer itself rather than the developer. Slopsquatting is one vector: AI coding tools sometimes hallucinate plausible but nonexistent package names, attackers register those names in advance, and developers install them because their AI assistant suggested them. No phishing required. But the research now points to something structurally more serious than opportunistic name squatting. When an AI assistant suggests a nonexistent package, the invisible attack is pre-staged by the attacker who anticipated that specific hallucination.

Malice in Agentland, a paper from ServiceNow Research, demonstrated that AI agents can be compromised at the supply chain level through poisoned training data, and that once a backdoor is embedded, it is nearly impossible to remove. The researchers formalized three attack vectors: direct poisoning of finetuning data, pre-backdoored base models distributed through public repositories, and a novel mechanism they call environment poisoning, where an attacker embeds hidden prompt injection instructions into a webpage or tool output. When an AI agent browses that page or calls that tool during unsupervised data collection, it generates a poisoned training trace. That trace flows into the finetuning dataset. The resulting agent learns to execute the attacker's chosen action whenever a specific trigger appears silently, and without the developer ever seeing anything unusual. Poisoning as little as 2.3% of training data was sufficient to achieve over 91% attack success rate.

The finding that makes this relevant to the future of invisible package attacks is persistence. The researchers tested whether finetuning a backdoored model on entirely clean data would remove the implanted behavior. It did not. Attack success rates remained above 90% on τ-Bench and at 100% on WebArena even after training on thousands of clean samples. They also tested four state of the art guardrail models against the poisoned datasets–all four failed to reliably detect the malicious traces. The backdoor is not a signature to scan for. It is baked into the model's learned policy, invisible to standard performance monitoring because the compromised model actually performs better on benign tasks than the unmodified baseline. As the paper puts it, the attack presents itself as enhanced utility. This sets the stage for various malware campaigns.

This attack surface evolved from passive package registration into an attempt at active local environment exploitation with SANDWORM_MODE, disclosed by the Socket Threat Research Team on February 20, 2026. SANDWORM_MODE is the most recent iteration of the Shai-Hulud worm lineage. Attackers using the aliases official334 and javaorg published 19 malicious packages, several directly impersonating AI tools by name including three targeting Claude Code, which was a deliberate choice given the hallucination data, since developers are least likely to scrutinize a package their AI assistant just recommended. Once installed, the payload deployed a rogue Model Context Protocol server (an open standard framework allowing AI applications to connect to external datasets and local system functions). The rogue server embedded prompt injection instructions into its tool descriptions, directing the AI assistant to silently harvest SSH keys, AWS credentials, npm tokens, and API keys for nine major language model providers, all without the developer ever knowing.

The structural implication is severe. AI tools have deep access to developer machines. They read files and interact with local services in the same environment where production secrets live. By poisoning the Model Context Protocol layer, attackers bypass the need to trick the human developer entirely. They only need to manipulate the AI tools that developers already have implicit trust in.

Supply Chain Worms as Access Brokers

The most dangerous characteristic of modern supply chain worms is not immediate credential theft, it is the fact that the credentials harvested become raw data for secondary campaigns, often executed by entirely different threat actors.

Glassworm demonstrates this model precisely. The latest return of the malware uses invisible Unicode characters (specifically Private Use Area characters) to embed malicious payloads inside what appear to be empty strings within GitHub commits, npm packages, and VS Code extensions. Because these characters do not render in standard code editors or terminals, the injections bypass manual code review and standard linting tools entirely. The JavaScript runtime decodes the hidden payload bytes and passes the result for execution. Aikido Security reported that a massive wave of Glassworm attacks hit at least 151 GitHub repositories between March 3 and March 9, 2026, with injections disguised as documentation tweaks and minor bug fixes matching the specific coding style of target projects. The decoded payloads established persistence and silently exfiltrated GitHub personal access tokens, npm tokens, and cryptocurrency wallet data, with command and control infrastructure maintained via the Solana blockchain.

The credentials harvested by Glassworm directly fueled ForceMemo, a secondary campaign disclosed by StepSecurity in March 2026. Attackers used the stolen GitHub tokens to force push obfuscated malware into more than 240 distinct Python repositories targeting Django applications, machine learning research code, and Flask APIs. The ForceMemo injection was designed for absolute stealth: the attacker rebased the latest legitimate commit, appended obfuscated malware to critical files like setup.py or main.py, and force pushed the result back to the repository. Because the force push preserved the original author name and commit message, the tampering was completely invisible in standard GitHub activity feeds. The only indicator was a discrepancy in the committer date. StepSecurity researchers confirmed ForceMemo utilized the exact same Solana blockchain wallet address as Glassworm, definitively linking the two operations.

This two wave model mirrors the 2025 npm compromises. The s1ngularity campaign in August 2025 exploited a GitHub Actions flaw within the Nx build system to steal npm publishing tokens and exfiltrate over 2,000 unique environment secrets. Three weeks later, Shai-Hulud 1.0 used those exact tokens to launch the first true self propagating worm on the npm registry, automatically infecting and republishing hundreds of packages across the ecosystem.

Registries have begun responding structurally. PyPI enforced mandatory two factor authentication and rolled out email verification for TOTP logins. GitHub and npm established automated token revocation systems that cut off the self replicating pattern of the Shai-Hulud worm by blocking uploads containing known indicators of compromise. Despite these defenses, attackers continue to pivot. In March 2026, malicious releases were detected in popular React Native packages exceeding 130,000 monthly downloads, demonstrating that threat actors are aggressively targeting mobile development supply chains using the same account takeover tactics.

The evolution of these threats reveals that AI powered phishing and callback lures acquire the initial high privilege credentials for large scale supply chain attacks. Slopsquatting and payloads like SANDWORM_MODE extend that harvest silently into the developer's local environment, weaponizing their own AI assistant against them. Once that access exists, it becomes infrastructure for automated, self propagating campaigns like Glassworm and ForceMemo. The entire software ecosystem serves as the attack surface, and every new tool developers adopt to accelerate their workflows is simultaneously a new vector for an invisible compromise.

Sources

Microsoft: Microsoft Digital Defense Report 2025

The Register: AI makes phishing 4.5x more effective, Microsoft says

BleepingComputer: Microsoft Azure Monitor alerts abused for callback phishing attacks

Datadog Security Labs: Learnings from recent npm supply chain compromises | Datadog Security Labs

Trend Micro: Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems | Trend Micro (US)

Palo Alto Networks: Breakdown: Widespread npm Supply Chain Attack Puts Billions of Weekly Downloads at Risk - Palo Alto Networks Blog

ReversingLabs: Shai-Hulud npm supply chain attack: What you need to know | ReversingLabs

Boisvert et al., ServiceNow Research: Malice in Agentland: Down the Rabbit Hole of Backdoors in the AI Supply Chain

The Hacker News: SANDWORM_MODE: Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

Socket: The Rise of Slopsquatting: How AI Hallucinations Are Fueling a New Class of Supply Chain Attacks

Aikido Security: Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories