Charlie Eriksen

Malware Researcher

Charlie Eriksen is a Security Researcher at Aikido Security, with extensive experience across IT security - including in product and leadership roles. He is the founder of jswzl and he previously worked at Secure Code Warrior as a security researcher and co-founded Adversary.

Blog posts by Charlie Eriksen

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

May 27, 2026

•

Vulnerabilities & Threats

Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens

A polished Codex remote UI, the npm package codexui-android, has active development and thousands of weekly users. It has been quietly exfiltrating OpenAI auth tokens for the past month.

Tags/

#Vulnerabilities

#NPM

April 29, 2026

•

Vulnerabilities & Threats

Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files

A fake "tanstack" npm package published four malicious versions in 27 minutes today, exfiltrating .env files via a postinstall hook. Here's what happened, who was affected, and how to rotate your credentials.

Tags/

#Malware

March 27, 2026

•

Vulnerabilities & Threats

Popular telnyx package compromised on PyPI by TeamPCP

The popular telnyx packageon PyPI, used by big AI companies, has been compromised by TeamPCP

Tags/

#Malware

#Pypi

March 22, 2026

•

Vulnerabilities & Threats

CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran

Tags/

#NPM

#Malware

March 20, 2026

•

Vulnerabilities & Threats

TeamPCP deploys CanisterWorm on NPM following Trivy compromise

Tags/

#NPM

#Malware

February 4, 2026

•

Vulnerabilities & Threats

npx Confusion: Packages That Forgot to Claim Their Own Name

We claimed 128 unclaimed npm package names that official docs told developers to npx. Seven months later: 121,000 downloads. All would have run arbitrary code.

Tags/

#Malware

#open-source

#NPM

January 27, 2026

•

Vulnerabilities & Threats

Fake Clawdbot VS Code Extension Installs ScreenConnect RAT

A malicious VS Code extension impersonating Clawdbot is installing ScreenConnect RAT on developer machines.

Tags/

#Malware

#VS Code

January 23, 2026

•

Vulnerabilities & Threats

G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets

npm package ansi-universal-ui delivers GWagon infostealer targeting 100+ crypto wallets, browser credentials, and cloud keys. We analyzed all 10 versions as the attacker iterated in real-time.

Tags/

#Malware

#NPM

#Software Supply Chain Security

January 23, 2026

•

Vulnerabilities & Threats

Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages

A targeted spear-phishing campaign used npm packages and jsDelivr as free phishing infrastructure, serving custom credential harvesters per victim

Tags/

#Malware

#NPM

#Software Supply Chain Security

January 23, 2026

•

Vulnerabilities & Threats

Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT

Attackers published fake spellchecker packages to PyPI with malware hidden in plain sight. We break down the attack and what developers need to watch for.

Tags/

#Malware

#Software Supply Chain Security

#NPM

January 21, 2026

•

Vulnerabilities & Threats

Agent Skills Are Spreading Hallucinated npx Commands

AI agent skills are propagating hallucinated npx commands, creating real security and reliability risks for developers and supply chains.

Tags/

#NPM

#Malware

#Software Supply Chain Security

#AI

#Vibe Coding

January 5, 2026

•

Vulnerabilities & Threats

JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack

A deep technical analysis of the NeoShadow npm supply-chain attack, detailing how JavaScript, MSBuild, and blockchain techniques were combined to compromise developers.

Tags/

#NPM

#Malware

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning

No CC required

Book a demo

No credit card required | Scan results in 32secs.