Analytics Story: QuietVault
Description
QUIETVAULT is a JavaScript‑based credential‑stealing malware identified by Google’s Threat Intelligence Group that targets GitHub and npm tokens by exfiltrating them to a publicly accessible GitHub repository. In addition to stealing these credentials, QUIETVAULT leverages on‑host installed AI CLI tools and crafted AI prompts to search the infected system for other sensitive secrets, which it then also exfiltrates. This reflects a broader trend of threat actors integrating AI‑driven tooling into malware to enhance automated discovery and data theft in real‑world operations, signaling a shift toward more adaptable and intelligent malicious software.
Why it matters
In recent threat intelligence reporting, security researchers uncovered a new AI‑assisted malware strain called QUIETVAULT that quietly infiltrates systems to steal valuable credentials. Once inside, it not only captures GitHub and npm tokens but also uses local AI command‑line tools with crafted prompts to hunt for other secrets stored on the machine and upload them to a public repository. This demonstrates how attackers are adapting artificial intelligence into their tools to automate deeper data harvesting and expand their reach, increasing the risk and complexity of modern cybercrime.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Linux Auditd Cwd |  Linux |
auditd |
auditd |
| Linux Auditd Path | Linux |
auditd |
auditd |
| Linux Auditd Proctitle | Linux |
auditd |
auditd |
| Linux Auditd Syscall | Linux |
auditd |
auditd |
References
Source: GitHub | Version: 1