Security researchers have uncovered 73 malicious npm packages disguised as Microsoft-related libraries, each embedded with self-replicating credential-stealing malware that activates not during installation, but when the code is opened and analysed by an AI coding agent — marking a significant evolution in software supply chain attacks.
The discovery, made by security firm Socket and reported by Ars Technica, highlights a growing threat vector that targets the increasingly popular practice of using AI-powered tools to review and understand unfamiliar codebases.
A New Trigger Mechanism
Unlike traditional supply chain attacks that execute malicious payloads when a developer installs a package, these tainted npm packages were designed to remain dormant until an AI agent parsed their contents. According to Socket's findings, the malware was crafted to detect when it was being processed by an automated analysis tool, at which point it would activate a self-replicating stealer capable of harvesting credentials.
This marks the second such incident in recent weeks involving npm packages weaponised to exploit AI-assisted development workflows. The repeated nature of these attacks indicates that threat actors are actively probing and refining the technique rather than treating it as a one-off experiment.
Why AI Agents Are an Attractive Target
AI coding assistants and agentic tools have become commonplace in modern development workflows. Developers routinely point these tools at third-party libraries and unfamiliar packages to generate documentation, identify vulnerabilities, or understand dependencies. This behaviour creates a trusted execution context that malicious actors are now learning to exploit.
The attack is particularly insidious because AI agents typically operate with elevated privileges and broad access to a developer's environment. When an AI tool reads malicious code, it may inadvertently trigger embedded instructions that direct it to exfiltrate sensitive data, including credentials, API keys, and session tokens.
Because the payload only activates under specific conditions — namely, when parsed by an AI agent rather than a human developer — it can evade traditional static analysis and manual code review. A developer skimming the source code might see nothing suspicious, while the malicious logic waits for the right automated reader to come along.
Implications for the Development Community
This attack pattern forces a fundamental reassessment of how developers and organisations evaluate third-party code. Security tooling has historically focused on detecting malicious behaviour during installation or runtime execution. These new threats demand additional scrutiny of what happens when code is merely read by automated systems.
Security experts recommend that teams using AI agents to analyse third-party packages implement strict sandboxing for those agents, limiting their network access and file system permissions. Organisations should also consider adopting more rigorous vetting of npm dependencies, including monitoring services that track newly published or updated packages for suspicious patterns.
The npm ecosystem, the largest package registry for JavaScript and Node.js development, has long been a target for supply chain attacks due to its open publishing model and the complex web of transitive dependencies common in JavaScript projects. The introduction of AI agents as an attack surface adds yet another layer of complexity to an already challenging security landscape.
As AI-assisted development continues to grow in adoption, the security community will need to develop new defensive tools and practices specifically designed to protect the agents themselves — not just the developers who use them.
安全研究人員發現了 73 個偽裝成 Microsoft 相關程式庫的惡意 npm 套件,每個套件都嵌入了自我複製的盜竊認證憑證惡意軟件,其啟動時機並非在安裝時,而是在程式碼被打開並由 AI 程式碼代理解析時——這標誌著軟件供應鏈攻擊的一次重大演變。
此發現由安全公司 Socket 作出,並經 Ars Technica 報導,凸顯了一個日益增長的威脅載體,其目標正是日益普及的、使用 AI 驅動工具來審查和理解陌生程式碼庫的做法。
全新的觸發機制
與傳統供應鏈攻擊在開發者安裝套件時便執行惡意 payload 不同,這些被污染的 npm 套件被設計為保持休眠狀態,直到 AI 代理解析其內容。根據 Socket 的研究結果,該惡意軟件被精心設計,用以偵測其是否正被自動化分析工具處理,一旦偵測到,它便會啟動一個能夠擷取認證憑證的自我複製盜竊程式。
這是近幾週內發生的第二起類似事件,涉及被武器化以利用 AI 輔助開發工作流程的 npm 套件。這些攻擊的重複性質表明,威脅行為者正在積極試探和完善這項技術,而非僅僅將其視為一次性的實驗。
為何 AI 代理是吸引人的目標
AI 程式碼助手與代理式工具在現代開發工作流程中已變得司空見慣。開發者慣常將這些工具指向第三方程式庫和陌生套件,以生成文件、識別漏洞或理解依賴關係。這種行為創造了一個可信的執行環境,而惡意行為者正學會加以利用。
此類攻擊尤其陰險,因為 AI 代理通常以提升的權限運行,並廣泛存取開發者的環境。當 AI 工具讀取惡意程式碼時,可能會無意中觸發嵌入的指令,引導其將敏感資料(包括認證憑證、API 金鑰和 session token)外洩。
由於 payload 僅在特定條件下啟動——即由 AI 代理而非人類開發者解析時——它能夠規避傳統的靜態分析和手動程式碼審查。開發者粗略瀏覽原始碼時可能看不出任何可疑之處,而惡意邏輯則在等待合適的自動化讀取器出現。
對開發社群的影響
此攻擊模式迫使開發者和組織對如何評估第三方程式碼進行根本性的重新評估。安全工具歷來專注於偵測安裝期間或運行時執行期間的惡意行為。這些新威脅要求額外審查當程式碼僅被自動化系統讀取時會發生什麼情況。
安全專家建議,使用 AI 代理分析第三方套件的團隊應為這些代理實施嚴格的沙盒環境,限制其網絡存取和檔案系統權限。組織亦應考慮採用更嚴格的 npm 依賴項審查流程,包括監控服務,用以追蹤新發佈或更新的套件是否存在可疑模式。
npm 生態系統作為 JavaScript 和 Node.js 開發的最大套件註冊表,由於其開放的發佈模型以及 JavaScript 項目中常見的複雜間接依賴關係網絡,長期以來一直是供應鏈攻擊的目標。將 AI 代理引入作為攻擊面,為本已具挑戰性的安全形勢增添了又一層複雜性。
隨著 AI 輔助開發的應用持續增長,安全社群將需要開發專門設計的全新防禦工具和實踐,以保護代理本身——而不僅僅是使用它們的開發者。