The compromise introduced a malicious telemetry.js file triggered via a post-install script in the npm package. The payload executed only on Linux and macOS systems, systematically searching for sensitive files (wallets, keystores, .env, SSH keys) and extracting credentials (gh auth token, npmrc content). The malware attempted lockout by appending sudo shutdown -h 0 to ~/.bashrc and ~/.zshrc, effectively causing system shutdowns on new terminal sessions. These findings were also reported by Step Security.
Notably, the campaign weaponized installed AI CLI tools by prompting them with dangerous flags (--dangerously-skip-permissions, --yolo, --trust-all-tools) to steal filesystem contents, exploiting trusted tools for malicious reconnaissance. We have observed this AI-powered activity succeed in hundreds of cases, although AI provider guardrails at times interceded.
Exfiltrated data was double and triple-base64 encoded and uploaded to attacker-controlled victim GitHub repositories named s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1, thousands of which were observed publicly.
On August 27, 2025 9AM UTC Github disabled all attacker created repositories to prevent this data from being exposed, but the exposure window (which lasted around 8 hours) was sufficient for these repositories to have been downloaded by the original attacker and other malicious actors. Furthermore, base64-encoding is trivially decodable, meaning that this data should be treated as effectively public.