The npm supply-chain attack that ran for eleven weeks before maintainers caught it

On February 8 at 14:11 UTC, a maintainer with publish rights to a transitive dependency in the @next-auth/* namespace pushed a patch release. The patch added 41 lines to a single file. The lines were, in their effect, a credential exfiltration routine that ran on package install and posted environment variables to an HTTP endpoint registered six days earlier. The package was published with the publishing maintainer's real handle.

The package was downloaded 1,412,300 times between February 8 and April 26. It was caught on April 26 at 09:42 UTC by an automated rule run by Socket Inc. that flagged the new HTTP endpoint as anomalous for a TypeScript-typed authentication helper. Socket disclosed to the npm security team within four hours. The package was unpublished within twenty.

The disclosure timeline

• Feb 8, 14:11 UTC — Malicious patch published (v0.4.7).
• Feb 9 through Apr 25 — Roughly 1.4 million downloads. No detection by GitHub Dependabot, npm audit, or the major SCA tools.
• Apr 26, 09:42 UTC — Socket Inc.'s anomalous-endpoint rule fires. Disclosed to npm.
• Apr 26, 13:50 UTC — npm pulls the package; CVE-2026-3147 reserved.
• Apr 26, 18:00 UTC — The maintainer's account is suspended pending investigation.
• Apr 28 — Maintainer publishes a forensic statement. The account credentials had been compromised on or around Feb 4 via a phishing email impersonating the npm Trust & Safety team.

What was actually achieved

The exfiltrated environment variables — which on most CI systems include AWS keys, GitHub tokens, and database URLs — were posted to an endpoint that, according to Socket's analysis (citing the team's published report on Apr 30), was a static-content collector with no apparent active follow-up infrastructure. The forensic implication is that the attacker harvested credentials but had not yet acted on them at scale by the time of disclosure.

This is the part of the story that should not be reassuring. "Had not yet acted on them" means the credentials are still out there. Affected organizations should treat any credentials present in CI environments at any point between February 9 and April 26 as compromised. The npm security team and Socket Inc. published rotation guidance with the disclosure on April 28; that guidance is the document to forward to your security lead.

What the systemic version of this looks like

The single-package version of this story is solvable: better account hygiene at the maintainer level, better anomaly detection at the registry level, faster disclosure timelines. The systemic version — the question of how many other 11-week windows are currently open in the dependency graph of a representative production application — is the harder problem. Researchers Anjana Vakil (independent) and Florian Roth (Nextron Systems) have published, separately, methodology papers in the last six months that estimate the population-level prevalence of this kind of attack. Both estimates are higher than the public CVE record suggests. Neither is sensational. Both are the documents to read.