Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

QUIETVAULT

QUIETVAULT is a JavaScript-based credential stealer observed in active operations and in a supply-chain compromise involving trojanized npm packages. It targets GitHub and NPM tokens, including GitHub Personal Access Tokens, and has also been reported to collect environment variables, system information, and other sensitive configuration data. A distinctive capability is its abuse of AI tooling already present on the victim host: it checks compromised macOS and Linux systems for locally installed AI command-line tools such as Gemini CLI or Claude Code, then executes predefined natural-language prompts to recursively search for configuration files, wallet-related files, private keys, SSH configurations, cloud credentials, and other potential secrets. Captured data is exfiltrated by creating or publishing to publicly accessible GitHub repositories controlled by the attacker. QUIETVAULT has been linked in reporting to the August 2025 nx npm supply-chain compromise, where a postinstall script launched the stealer, and stolen GitHub credentials were later leveraged by UNC6426 for follow-on cloud compromise. High-confidence behaviors described in the source material include harvesting GitHub/NPM tokens, searching infected systems via local AI CLIs for additional secrets, collecting environment variables and system information, and exfiltrating stolen data to public GitHub repositories.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6426

The packages were found to embed a postinstall script that, in turn, launched a JavaScript credential stealer named QUIETVAULT to siphon environment variables, system information, and valuable tokens, including GitHub Personal Access Tokens (PATs), by weaponizing a Large Language Model (LLM) tool already installed on the endpoint to perform the search.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques
T1078Valid AccountsEvidence1

obtenir un accès initial aux environnements SaaS ... il est essentiel de se concentrer sur le renforcement des contrôles d'identité et de passer à une vérification continue de l'identité

T1195Supply Chain CompromiseEvidence1

Mandiant investigated a supply chain compromise involving the QUIETVAULT credential stealer...

T1195.001Compromise Software Dependencies and Development ToolsEvidence2

"...push trojanized versions of the package to the npm registry. The packages were found to embed a postinstall script that, in turn, launched a JavaScript credential stealer..."

T1195.003Compromise Hardware Supply ChainEvidence1

"...exploited a vulnerable pull_request_target workflow – ... referred to as Pwn Request – to obtain elevated privileges and access sensitive data, including a GITHUB_TOKEN..."

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1

"Large language models are allowing hackers to generate, modify and execute commands on demand..."; "PromptSteal... queries a hosted model for one-line Windows commands that it runs locally"; "QuietVault, a JavaScript-based credential stealer"; "AI-generated ransomware scripts... using model-generated Lua"

Persistence

2 techniques
T1078Valid AccountsEvidence1

obtenir un accès initial aux environnements SaaS ... il est essentiel de se concentrer sur le renforcement des contrôles d'identité et de passer à une vérification continue de l'identité

T1556Modify Authentication ProcessEvidence1

"...create a new admin account in the cloud environment by abusing the GitHub-to-AWS OpenID Connect (OIDC) trust."

Privilege Escalation

1 technique
T1078Valid AccountsEvidence1

obtenir un accès initial aux environnements SaaS ... il est essentiel de se concentrer sur le renforcement des contrôles d'identité et de passer à une vérification continue de l'identité

Stealth

1 technique
T1078Valid AccountsEvidence1

obtenir un accès initial aux environnements SaaS ... il est essentiel de se concentrer sur le renforcement des contrôles d'identité et de passer à une vérification continue de l'identité

Defense Impairment

1 technique
T1556Modify Authentication ProcessEvidence1

"...create a new admin account in the cloud environment by abusing the GitHub-to-AWS OpenID Connect (OIDC) trust."

Credential Access

3 techniques
T1528Steal Application Access TokenEvidence6

QUIETVAULT is a credential-theft variant. The JavaScript stealer exfiltrates GitHub and NPM tokens to an attacker-controlled GitHub repo...

T1555Credentials from Password StoresEvidence7

the QUIETVAULT credential stealer was observed checking targeted machines for AI [command-line] tools to execute predefined prompts to search for configuration files and collect GitHub and NPM tokens

T1556Modify Authentication ProcessEvidence1

"...create a new admin account in the cloud environment by abusing the GitHub-to-AWS OpenID Connect (OIDC) trust."

Discovery

1 technique
T1526Cloud Service DiscoveryEvidence1

the increasing adoption of artificial intelligence tools for reconnaissance

Lateral Movement

1 technique
T1550Use Alternate Authentication MaterialEvidence1

identity is the new perimeter. Simply rotating passwords and enforcing MFA isn't enough anymore.

Collection

1 technique
T1005Data from Local SystemEvidence1

Among the malware families in the intro table, LameHug/PROMPTSTEAL is the cleanest example of this route in the wild: it calls HuggingFace’s Inference API for Qwen 2.5-Coder-32B-Instruct to drive reconnaissance and data theft...

Exfiltration

2 techniques
T1567Exfiltration Over Web ServiceEvidence2

QUIETVAULT is a credential-theft variant. The JavaScript stealer exfiltrates GitHub and NPM tokens to an attacker-controlled GitHub repo...

T1567.002Exfiltration to Cloud StorageEvidence2

"...exfiltrating captured credentials on dynamically created public GitHub repositories."

Impact

1 technique
T1485Data DestructionEvidence1

"...stole data from the S3 storage, and then destroyed it in production and cloud environments."

ACTIVITY FEED

Recent activity

21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

21 SOURCESView more in app
intezer blogNews
Jun 3, 2026
How attackers are gaining access to LLM inference - Intezer

JavaScript credential stealer that exfiltrates GitHub and NPM tokens and leverages whatever AI CLI is installed on the victim to search for additional secrets.

Read more
zdnet zero dayNews
May 18, 2026
5 ways to fortify your network against the new speed of AI attacks | ZDNET

Credential stealer observed checking compromised machines for AI command-line tools and using predefined prompts to locate configuration files and steal GitHub and NPM tokens.

Read more
zdnetNews
Mar 25, 2026
Les cyberattaquants redoublent d'efforts pour pirater votre résea ...

Credential stealer observed searching compromised machines for command-line AI tools, then using predefined prompts to locate configuration files and collect GitHub and NPM tokens.

Read more
zdnet zero dayNews
Mar 24, 2026
Cyberattackers are moving faster to break your network - how to fight back | ZDNET

Credential stealer observed checking compromised machines for AI command-line tools and using predefined prompts to search for configuration files and collect GitHub and NPM tokens.

Read more
+16 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.