Poisoning the Pipeline: How the “Frank” Campaign Targeted Apple and Google via NPM Dependency Confusion

Cybersecurity specialists have exposed a pervasive malicious campaign targeting developers, wherein the adversary bypassed the compromise of finished products to exploit vulnerabilities within the build process itself. By leveraging the public NPM registry, the attacker attempted to disseminate deleterious packages masquerading as internal tools for major corporations, anticipating that automated development pipelines would inadvertently integrate the counterfeit software.

According to Panther Threat Research, thirty-eight malicious packages surfaced on NPM between April 24 and April 30, 2026. These are attributed to an Indonesian operative utilizing the pseudonym “frank” and the primary account frengki0707, supported by secondary accounts such as raya4321, cketol, and frengki4321.

The primary artifice employed was Dependency Confusion. The perpetrator meticulously selected names containing the string “internal” to mimic the private libraries of Apple, Google, GCP, Alibaba, and Aliyun. In the event of a misconfigured CI/CD pipeline, the public malicious package could be granted priority over the authentic internal dependency, executing during a routine installation.

The most significant cluster of packages imitated Apple’s internal instruments, including App Store libraries, PKI utilities, CloudKit, and various infrastructural components. The nomenclature often included terms suggestive of defense evasion, stealth, and data exfiltration. Disseminated versions such as v3, v9, and v99 were designed to lend the packages an air of legitimacy within a package.json file.

Packages targeting Google and GCP were cloaked as build utilities, logging tools, monorepo managers, and auditing scripts. Their objective was the harvesting of GCP service keys, OAuth tokens, and Kubernetes configurations. Within the Alibaba ecosystem, the adversary simulated Alibaba Cloud SDK components to intercept Aliyun RAM keys. Furthermore, the frank-newton3 series functioned as a versatile toolkit designed to exfiltrate .env files, database variables, SSH keys, and MySQL or Postgres dumps.

The malicious payload was triggered via postinstall scripts following a standard npm install command. Initially, these packages conducted reconnaissance to gather system telemetry—including usernames, hostnames, and OS data—before scouting for “secrets” to transmit to the command-and-control infrastructure. A particular emphasis was placed on exfiltrating NPM_TOKEN and NODE_AUTH_TOKEN, as compromising these credentials could facilitate the injection of malicious code into legitimate, widely-used software.

Panther correlates this campaign to a single operative based on the recurring “frank” pseudonym, analogous account naming conventions, Indonesian commentary within the source code, and shared webhook addresses. The rotation of accounts was a strategic maneuver to preserve the offensive infrastructure even after specific publications were expunged. Development teams are urged to scrutinize any public NPM requests featuring “internal” in the title, strictly govern postinstall scripts within CI/CD environments, and monitor build process access to sensitive directories such as ~/.npmrc, ~/.aws/credentials, and ~/.kube/config.