CentrioleBlog
Platform

Centriole Blog

Security insights for modern supply chains

Research and analysis on software supply chain security for security and engineering teams.

Featured

Featured post 1 of 5

All posts

pkg-fallback Ships string_kit. Its Beacon Ships to 157.254.194.200.

A PyPI package that calls itself pkg-fallback, ships a module called string_kit, and fires an unconditional HTTP beacon to a bare IP at install time. One version, one victim window, one open question: what was the operator enumerating?

Inside the ltidi Cluster: One GCS Bucket, 18 Hollow Stubs, 17 Off-Registry Droppers

A single npm account published 18 empty stub packages over 25 days, each pulling a unique dropper tarball from a private Google Cloud Storage bucket that bypasses every npm registry scanner.

Six Years Between Versions: How the Insomnia Namespace Became a Recurring Attack Surface

Four independent waves across 46 months. Eight malicious packages. One shared attack surface: the insomnia-plugin-* naming convention that Kong never locked down.

Inside a Three-Month DPRK-Linked npm Campaign that Built Around 70 chai-as- Packages

A systematic teardown of the longest-running single-namespace npm attack in the Contagious Interview campaign's history: 70+ chai-as-* packages, runtime-triggered credential theft, a multi-tenant C2, and a naming strategy built to vanish into developer dependency trees.

ts-ankle: A Meaningless Name Hiding a Four-Package Infostealer and SSH Backdoor

ts-ankle v1.1.0 is the visible tip of a four-package cluster built around a 17-module cross-platform infostealer. One package impersonates Polymarket. One plants your SSH key.

The Same Payload, Four More Packages: Miasma Hits ImmobiliareLabs Backstage Plugins

22 malicious versions across four @immobiliarelabs Backstage plugins carry the Miasma worm's Phantom Gyp payload, targeting Backstage-connected developer environments with credential theft and AI assistant persistence.

express-plugin: A Two-File Package That Hands Your Machine to a Remote Operator

A package named express-plugin shipped a remote code execution dropper that fetches and evaluates attacker-controlled JavaScript on every require call, with no install hook needed.

Shai-Hulud in a Trench Coat: How @epsteinlovekids483 Impersonated Crossmint to Steal Developer Secrets

A package posing as the Crossmint Wallets SDK shipped a fully functional credential stealer named after a known worm family. Eight versions, one live C2, and a persistence payload that survives package removal.

openblox: A Windows-Only Backdoor Wearing a Roblox Name Tag and SQLite Documentation

A PyPI package named openblox hides a chr-arithmetic obfuscated mshta dropper inside a fake SQLite utility, executing a remote HTA payload on every pip install on Windows.

Ten Packages, Three Minutes, One Target: Inside the Zomato Group Dependency Confusion Campaign

An attacker published 10 dependency confusion packages targeting Zomato, Hyperpure, and Blinkit in a 199-second scripted burst, exfiltrating full CI environments to an Interactsh collector on every npm install.

What Does a Tree Utility Need 93KB of Obfuscated Code For?

The npm package @osmura/treeify appended 93KB of RC4-obfuscated JavaScript to the legitimate treeify library, running an AES-256-GCM dropper with dual IIFE fallback C2 on every require call.

The db-* Cluster: Four npm Accounts, Nine Packages, One Expanding Payload Chain

Nine related npm packages across four publisher accounts built a two-stage dropper network active since June 9, 2026, sharing jsonkeeper C2 infrastructure and a common code template across every variant.

What Is an SBOM and Why Does It Matter for Security?

What SBOMs contain, what regulators require by country, and why 2026 supply chain incidents still start with the same question: are we affected?