npm Attack Targets AI Vendors

THE TRUST MODEL

npm has no gatekeeper. Anyone can publish a package; anyone can publish an update. A project pulling in one direct dependency typically inherits hundreds of transitive ones, each maintained by a stranger with publish rights to your build.

THE EVENT-STREAM PRECEDENT

In 2018, a maintainer of the popular event-stream package handed control to a volunteer who'd offered help. Months later, the new owner shipped code that stole Bitcoin wallet keys from a specific downstream app. The package had ~2 million weekly downloads. Nobody noticed for weeks.

WHY AI VENDORS ARE THE TARGET

AI tooling pulls fresh dependencies aggressively — new SDKs, new model clients, new agent frameworks publish weekly. Developers update without reading diffs. The attack surface is wider and the review cadence is slower than mature ecosystems.

TYPOSQUATTING VS HIJACK

Two attack shapes dominate. Typosquatting publishes a malicious package with a near-identical name (`reqeusts` for `requests`) and waits for typos. Hijack compromises an existing trusted package via stolen credentials or social engineering — far rarer, far more dangerous.

THE POSTINSTALL HOOK

npm packages can run arbitrary code at install time via the postinstall script. This is how most supply-chain payloads execute — not when you import the package, but the moment you run `npm install`. CI runners, developer laptops, and production build servers all execute it with full user privileges.

WHY MACOS SPECIFICALLY

Developer machines are high-value targets — they hold SSH keys, cloud credentials, signing certificates, and source code for downstream products. macOS dominates the developer laptop market in San Francisco tech. A payload that profiles `~/.ssh`, `~/.aws`, and browser keychains on macOS hits the richest credential trove per compromised machine.