What we've been watching.
Recent supply-chain compromises across npm, PyPI, RubyGems, crates.io, Go modules, Packagist, NuGet, Open VSX, Docker Hub, and GitHub Actions. Curated from public vendor advisories. We list every version we can verify so the scanner picks them up directly: 1,575 package–version pairs across 96 incidents and counting.
- High10 Jul 202625 packages tracked
GitHub Advisory malware sweep — 25 npm packages (Epic Games / Unreal Engine internal-scope dependency-confusion cluster, LuminaryCloud, Reddit Voyager, nodemon family) taken down 2026-07-09 / 2026-07-10
On 2026-07-09 and 2026-07-10 GitHub's Advisory Database retired 25 CWE-506 Embedded Malicious Code npm advisories. The main story is a coordinated dependency-confusion burst against internal enterprise namespaces — Epic Games / Unreal Engine build tooling (
robomerge,unreal-horde-dashboard,ue-jenkins-buildkite,ue-automation-scripts,epic-internal-tools), LuminaryCloud (@luminarycloudinternal/*), Reddit-style Voyager UI (voyager-web,searchresults), plus workspace/microsite scopes — all replaced by npm Security within a 12-minute window on 2026-07-10 02:57–03:10 UTC. A smaller tail ofnodemon-*/chai-redirection/paperclip-adapter-helperstyposquats and 2026-07-09 throwaways (none123s,tslint-conf) rounds out the sweep.npmAffected packages25 packages · 25 versions
- npm
@businessapp-microsites/apis99.9.9 - npm
@kl-starfish/test-012.0.0 - npm
@luminarycloudinternal/frodo99.9.9 - npm
@luminarycloudinternal/lcvis-st99.9.9 - npm
chai-redirection1.0.0 - npm
crypto-promiser1.0.0 - npm
cursed-ecto-d3ab001.0.0 - npm
epic-internal-tools99.9.9 - npm
nodemon-gulp1.0.0 - npm
nodemon-patch1.0.0 - npm
nodemon-sudo1.0.0 - npm
nodepack-daemon1.0.0 - npm
none123s1.0.0 - npm
paperclip-adapter-helpers1.0.0 - npm
robomerge99.9.9 - npm
searchresults99.9.9 - npm
tslint-conf1.0.0 - npm
txs-builder-lib1.0.0 - npm
ue-automation-scripts99.9.9 - npm
ue-jenkins-buildkite99.9.9 - npm
unreal-horde-dashboard99.9.9 - npm
voyager-web99.9.9 - npm
vps-new-manager1.0.0 - npm
workspace-lint99.9.9 - npm
workspace-scripts99.9.9
npm-2026-07-10-ghsa-malware-sweepSource advisory - npm
- High8 Jul 202620 packages tracked
GitHub Advisory malware sweep — 20 npm packages (Claude-Code / Vue-CLI "clavue" typosquat cluster, `na-rony` throwaway sextet, tailwind-core, common-tg-service six-month sleeper) taken down 2026-07-08 / 2026-07-09
On 2026-07-08 and 2026-07-09 GitHub's Advisory Database retired ~20 CWE-506 Embedded Malicious Code npm advisories, continuing the July take-down cadence at ~20 packages/day. Two distinct clusters: a
clavue/ Claude-Code typosquat family (myclaude-code,clavue,clavuepro,calvuepro,clavue-agent-sdk) targeting Anthropic AI CLI developers; and a *`na-ronythrowaway sextet** — six packages published by one operator between 2026-07-08 03:22–03:39 UTC. Plus atailwind-coretyposquat carrying a real4.3.xversion history and the six-month sleepercommon-tg-service` with 547 versions.npmAffected packages20 packages · 254 versions
- npm
@calm2026/imux1.9.11.10.01.10.21.10.31.10.41.11.0 - npm
@vite-ln/build-ts5.15.105.17.0 - npm
ams-ssk1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.111.0.121.0.131.0.141.0.151.0.161.0.171.0.181.0.191.0.201.0.211.0.221.0.231.0.241.0.251.0.261.0.271.0.281.0.291.0.311.0.33 - npm
calvuepro0.1.0 - npm
clavue8.8.578.9.08.9.18.9.29.0.09.0.19.0.29.0.39.0.49.0.59.0.69.0.79.1.09.1.19.2.09.2.19.2.29.2.39.2.49.3.09.4.09.4.19.4.29.4.39.4.49.4.59.4.69.4.79.4.89.4.99.4.109.4.119.5.09.5.19.5.29.6.09.6.19.7.09.7.19.7.29.7.39.8.09.8.19.9.09.10.09.10.19.10.29.10.39.10.49.11.09.11.19.11.29.11.39.11.49.11.59.11.69.11.79.12.09.13.09.14.09.14.19.15.09.16.09.22.09.26.010.0.110.0.210.0.310.0.410.1.010.1.110.1.210.1.310.2.010.2.110.2.210.2.310.2.410.3.010.3.110.3.210.4.010.4.110.4.2 - npm
clavue-agent-sdk0.2.20.2.30.2.40.2.50.2.60.2.70.2.80.2.90.3.00.3.10.4.00.5.00.6.00.6.10.7.00.7.10.7.20.7.30.7.40.8.00.9.01.0.11.0.21.0.31.0.41.0.51.0.62.0.02.2.0 - npm
clavuepro1.0.0 - npm
common-tg-service1.0.1011.1.991.2.1001.3.247 - npm
gas-log1.1.01.1.1 - npm
karem-dp99.9.9 - npm
mci-sdk1.2.81.2.91.2.101.2.111.2.121.2.13 - npm
myclaude-code8.8.88.8.98.8.118.8.128.8.138.8.148.8.168.8.178.8.188.8.198.8.208.8.218.8.228.8.238.8.248.8.258.8.268.8.278.8.288.8.308.8.318.8.328.8.338.8.348.8.358.8.378.8.388.8.398.8.408.8.418.8.428.8.43-beta.08.8.43-beta.18.8.43-beta.28.8.43-beta.38.8.43-beta.48.8.43-beta.58.8.43-beta.68.8.43-beta.78.8.43-beta.88.8.43-beta.98.8.43-beta.108.8.43-beta.118.8.448.8.458.8.468.8.478.8.488.8.498.8.508.8.518.8.528.8.538.8.548.8.558.8.568.8.57 - npm
na-rony1.1.21.1.31.1.41.1.599.9.9 - npm
na-rony-test99.9.9 - npm
na-rony-test-karem1.0.0 - npm
nam-os-a-man1.0.0 - npm
promo-helper1.0.01.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.0.151.0.16 - npm
rony-testing99.9.9 - npm
tailwind-core0.0.04.3.04.3.14.3.2 - npm
vite-json-pwa1.1.11.1.2
npm-2026-07-08-ghsa-malware-sweepSource advisory - npm
- High7 Jul 202662 packages tracked
GitHub Advisory malware sweep — ~65 npm packages (AI-SDK typosquat cluster, Solana base58/wallet drainers, SQLite scoped fakes, Nuxt/Chai continuation) taken down 2026-07-07 / 2026-07-08
On 2026-07-07 GitHub's Advisory Database retired ~65 CWE-506 Embedded Malicious Code npm advisories (plus a small 2-package 2026-07-08 tail), the second-largest single-day 2026 GHSA npm-malware sweep after 2026-07-06. Distinct clusters: an AI-SDK typosquat family (
openai-agents-helpers,ollama-helpers,anthropic-toolkit,@langgraphjs/toolkit,ai-sdk-helpers,mcp-server-pg), Solanabase58wallet-drainer names,@sqlite-list/*/@sqlite-access/*throwaway scopes, Nuxt/Chai continuations, plus thewhs4_*sextet.npmAffected packages62 packages · 212 versions
- npm
@43uh3ig43/telemetry-client99.0.1 - npm
@apexcraft/nano-key1.2.41.2.51.3.21.3.3 - npm
@aspect-security/argon21.0.01.0.1 - npm
@engagehub/core99.0.0 - npm
@engagehub/test-claim1.0.0 - npm
@langgraphjs/toolkit1.2.13 - npm
@sqlite-access/nodesql1.0.2 - npm
@sqlite-list/createsql1.0.0 - npm
@sqlite-list/schema-generator1.0.2 - npm
@sqlite-list/sql-creator1.0.61.0.7 - npm
ai-sdk-helpers1.4.5 - npm
annotator-harvardx9.0.2 - npm
anthropic-toolkit1.3.1 - npm
base58-cli1.0.01.0.11.0.21.0.31.0.41.0.5 - npm
base58-core1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.101.0.111.0.12 - npm
brunomenozzi-test-pkg1.0.0 - npm
chai-chain-dom1.3.71.3.81.3.9 - npm
chai-sdk1.4.71.4.8 - npm
chai-spycore1.1.01.5.3 - npm
crypto-base581.0.01.0.11.0.21.0.31.0.4 - npm
debugcli4.3.44.3.54.3.64.3.74.3.84.3.94.4.1 - npm
evm-typechain0.5.4 - npm
express-deflect1.3.11.6.91.6.101.6.12 - npm
express-firegate1.3.51.4.01.4.51.4.61.5.11.5.51.6.11.6.31.6.51.6.71.6.81.6.9 - npm
gen-ai-opt-in99.0.099.0.199.0.2 - npm
harmony-enablers-test-20261.0.0 - npm
hello244a1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.0.151.0.161.0.171.0.181.0.191.0.201.0.211.0.221.0.231.0.241.0.251.0.261.0.271.0.281.0.291.0.301.0.311.0.321.0.331.0.341.0.351.0.361.0.371.0.381.0.391.0.401.0.411.0.421.0.431.0.441.0.45 - npm
hook-augmenting-module99.0.3 - npm
jsf-utils0.3.11.3.1 - npm
load-nuxt99.0.3 - npm
load-nuxt-dev99.0.3 - npm
mcp-server-pg0.1.00.1.10.1.20.1.30.2.00.2.10.3.00.3.10.4.00.5.00.6.00.7.00.8.00.9.01.0.01.0.11.1.01.1.11.2.01.2.11.2.2 - npm
nodemon-node3.1.16 - npm
nonexistent-package99.0.3 - npm
notifier-utils1.3.71.3.81.3.91.4.0 - npm
nuxt-fonts-devtools99.0.3 - npm
ollama-helpers1.2.3 - npm
openai-agents-helpers1.3.3 - npm
pinokio-redis1.0.127 - npm
polytrade2.4.1 - npm
rnx-align-deps99.0.7 - npm
runtimedev-link1.0.01.0.11.0.21.0.31.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.14 - npm
shopify-internel99.0.1 - npm
solana-address-codec1.0.01.0.11.0.21.0.31.0.41.0.5 - npm
some-theme99.0.3 - npm
syco11.0.31.0.41.0.5 - npm
sypoi11.0.01.0.11.0.2 - npm
tailwind-animator-scroll1.7.0 - npm
tailwindcss-effector1.7.0 - npm
ts-await3.1.8 - npm
tx-guard-snap1.0.0 - npm
typescript-base581.0.0 - npm
warp-dependency1.0.01.0.1 - npm
whs4_nmp1.0.01.0.1 - npm
whs4_npm1.0.0 - npm
whs4_npm_test1.0.01.0.11.0.21.0.3 - npm
whs4_pnm1.0.0 - npm
wsh4_npm1.0.0 - npm
wsh4-nmp1.0.0 - npm
zod-pino4341.0.1271.0.128 - npm
zod-pino4441.0.1281.0.1291.0.1301.0.131 - npm
zredis-typed1.0.127
npm-2026-07-07-ghsa-malware-sweepSource advisory - npm
- Critical7 Jul 202610 packages tracked
Coordinated npm + PyPI campaign typosquats Paysafe / Skrill / Neteller payment SDKs, exfiltrates keys to AWS
Socket detected a coordinated cross-registry campaign on 2026-07-07 12:56 UTC: 13 npm and 4 PyPI packages impersonating the Paysafe / Skrill / Neteller payment SDKs, exposing plausible legitimate APIs but shipping a credential-theft module that harvests
KEY/SECRET/TOKEN/PASS/AUTH/APIenv vars and Paysafe API keys and exfiltrates them to attacker-controlled AWS infrastructure. All npm versions unpublished ~2026-07-08 00:25 UTC.npmPyPIAffected packages12 packages · 39 versions
- npm
paysafe-api1.0.01.0.11.0.21.0.3 - PyPI
paysafe-api1.0.0 - npm
paysafe-cards1.0.01.0.11.0.21.0.3 - npm
paysafe-checkout1.0.01.0.11.0.21.0.3 - npm
paysafe-js1.0.01.0.11.0.21.0.3 - npm
paysafe-node1.0.01.0.11.0.21.0.3 - npm
paysafe-payments1.0.01.0.11.0.21.0.3 - PyPI
paysafe-payments1.0.0 - PyPI
paysafe-sdk1.0.0 - npm
paysafe-vault1.0.01.0.11.0.21.0.3 - npm
skrill-payments1.0.01.0.11.0.21.0.3 - npm
skrill-sdk1.0.01.0.11.0.21.0.3
multi-2026-07-07-paysafe-skrill-payment-sdk-typosquatSource advisory - npm
- High6 Jul 2026162 packages tracked
GitHub Advisory malware sweep — ~155 npm packages (logger/tailwind/eslint/bignumber typosquats, polymarket-onchain-* crypto-drainers) taken down 2026-07-06
On 2026-07-06 GitHub's Advisory Database published ~155 CWE-506 Embedded Malicious Code advisories against npm packages — the largest single-day 2026 GHSA npm-malware sweep to date. The batch clusters into six naming families: chalk/pino/winston/
*-loggerpretty-print typosquats, tailwindcss/vite typosquats, eslint /*-lint-*helper squats, bignumber.js / crypto-math typosquats, chai*-as-*matcher squats, and twopolymarket-onchain-*crypto-drainer slugs continuing the June cluster. npm replaced every name with0.0.1-security.npmAffected packages162 packages · 429 versions
- npm
@jaime9008/math-service1.0.01.0.11.0.2 - npm
argonflux2.0.1 - npm
awesome-cli-logger1.0.01.2.0 - npm
big-numer5.0.5 - npm
big-numerate5.0.3 - npm
big-numerator5.0.35.0.6 - npm
big256-ts5.0.35.0.4 - npm
bigint.fs5.0.55.0.6 - npm
bigint.os5.0.55.0.65.0.75.0.8 - npm
bjs-biginteger5.0.55.0.6 - npm
bjs-lint-builder1.0.5 - npm
bjs-lint-builders1.0.41.0.51.1.0 - npm
bn-eslint.js8.0.5 - npm
bn-math1.0.01.0.1 - npm
bootstrap-utils4.5.05.1.1 - npm
btd-smart1.0.21.0.3 - npm
bubblestr1.1.4 - npm
bytecore5.3.1 - npm
chai-as-decrypted4.2.8 - npm
chai-as-init1.4.51.4.61.4.77.0.6 - npm
chai-as-polished7.0.8 - npm
chai-dec2.3.5 - npm
chai-guard1.0.01.2.3 - npm
chain-await-test1.3.5 - npm
chalk-logger-prettier1.0.11.0.21.0.31.0.41.0.51.0.71.0.8 - npm
chalk-plus-ts1.0.31.0.4 - npm
chalk-prettier1.0.81.0.9 - npm
chalk-pro-logger1.1.11.1.2 - npm
chalki-pretty1.0.0 - npm
chalks-logger1.0.91.1.01.1.11.1.21.1.3 - npm
cjs-biginteger5.0.35.0.55.0.6 - npm
classbreeze-utils0.7.70.7.80.7.90.7.10 - npm
color-cli-log2.0.02.1.0 - npm
color-logger-console3.1.83.1.9 - npm
competion1.8.11.8.21.8.31.8.4 - npm
cookie-ease1.0.01.0.51.0.61.0.71.0.81.0.91.1.11.1.21.1.31.1.5 - npm
custom-log-viewer1.0.0 - npm
db-query-log1.0.11.0.2 - npm
debug-glitzs1.0.01.0.11.0.21.0.31.0.4 - npm
devkit-scripts1.0.01.0.3 - npm
df-vision0.0.11.1.701.1.711.1.721.1.731.1.741.1.751.1.761.1.771.1.781.1.79 - npm
dotenv-express2.5.517.4.217.4.317.4.417.4.517.4.6 - npm
elevate-log2.0.5 - npm
emojiprint-logger1.1.05.6.2 - npm
emojiprint-prettier1.0.9 - npm
env-axios1.3.6 - npm
environment-gate7.3.57.3.6 - npm
es-lint-builders1.0.01.0.31.0.41.0.5 - npm
es-lint-entry1.0.0 - npm
eslint-helper4.0.14.0.2 - npm
eslint-vite1.0.01.0.11.0.2 - npm
eth-logger4.3.204.3.21 - npm
eth-tick7.4.177.4.18 - npm
ether-bn.js1.0.01.0.31.1.11.2.11.3.11.3.31.3.41.4.01.4.1 - npm
express-dotenv1.3.5 - npm
express-guardrail1.3.51.4.1 - npm
express-initial12.1.712.1.812.1.912.1.10 - npm
express-session-js1.0.01.19.0 - npm
fastnodemailer8.0.28.0.38.0.4 - npm
graphpilot0.1.00.1.10.1.20.1.30.1.41.0.0 - npm
grid-settings-align14.1.114.1.2 - npm
hjs-biginteger5.0.5 - npm
hjs-lint-builders1.0.4 - npm
js-crypto-promise1.0.1 - npm
js-unimode1.1.11.1.21.1.31.1.41.1.51.1.61.1.71.1.81.1.91.1.10 - npm
jsontoken-extend1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.13 - npm
jsonupper1.0.05.1.0 - npm
lint-builders1.0.0 - npm
lint-builds1.0.01.0.5 - npm
lint-nule1.0.4 - npm
lint-nuler1.0.4 - npm
lint-null1.0.4 - npm
linter-entry1.0.0 - npm
log-format-thread1.0.01.0.1 - npm
log-upgrade7.1.0 - npm
logger-beauty1.0.11.0.21.0.31.1.02.1.1 - npm
metrica-chain2.4.5 - npm
metrica-node2.4.5 - npm
mjs-biginteger5.0.55.0.6 - npm
modulyn1.0.1 - npm
mongoose-json-format3.0.03.0.1 - npm
mongoose-lean-hooks0.5.20.5.30.5.40.5.50.5.60.5.7 - npm
motion-lib2.3.5 - npm
next-bignumber.js1.0.0 - npm
node-env-detector1.0.01.0.1 - npm
nodepathbalance541.1.0 - npm
normalize-path-seq3.8.9 - npm
npm-doc-dev1.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.1 - npm
npm-eslint-helper1.0.1 - npm
older_morgan1.0.11.0.2 - npm
peptideenv16.6.116.6.216.6.316.6.416.6.516.6.6 - npm
picocolor-logger1.0.01.0.11.0.2 - npm
pino-formatter1.1.121.1.13 - npm
pino-pretty-logs1.0.71.0.81.1.02.0.0 - npm
pino-sdk-v29.9.0 - npm
pino-utils1.3.61.4.0 - npm
polymarket-onchain-plugin2.1.32.1.42.1.5 - npm
polymarket-onchain-sdk1.0.21.0.31.0.4 - npm
prettier-logger0.1.40.1.50.1.6 - npm
pretty-pino-logger1.0.01.0.11.0.21.0.31.0.42.0.12.0.2 - npm
pretty-pino-loggers1.0.1 - npm
random-string-641.0.01.0.1 - npm
react-check-error2.1.62.1.7 - npm
react-native-template-my-starter1.0.0 - npm
react-next-dom1.0.01.1.717.2.717.2.8 - npm
react-svg-render1.0.2 - npm
renderctx1.1.1 - npm
request-js-validator1.0.21.0.31.0.4 - npm
rma-utils1.0.1 - npm
rollup-plugin-polyfill-handler1.0.01.0.1 - npm
router-kit0.1.10.1.20.1.30.1.40.1.50.1.60.1.70.2.00.2.10.2.20.2.30.2.51.0.01.0.11.0.21.0.31.2.01.2.11.2.21.2.31.2.41.2.51.2.61.3.01.3.11.3.21.3.31.3.42.0.02.0.12.1.0 - npm
safe-validate1.0.11.0.21.0.31.0.4 - npm
secure-box1.0.11.0.2 - npm
set-proto-chain1.0.3 - npm
sjs-biginteger5.0.55.0.6 - npm
sjs-builder1.0.41.0.5 - npm
sjs-builders1.0.4 - npm
sjs-lint-build11.0.4 - npm
sleek-pretty1.0.0 - npm
sol-sdk2.3.18 - npm
st-biginteger5.0.5 - npm
st-bigintr5.0.55.0.6 - npm
stacknova1.0.0 - npm
styled-text-logger1.3.1 - npm
subsearch1.0.21.0.3 - npm
syncora0.2.03.5.7 - npm
tailstyle-core0.0.1 - npm
tailwind-fonttype-inter2.3.2 - npm
tailwind-scroller1.0.2 - npm
tailwind-typography-plus2.1.0 - npm
tailwindcss-animatecss-latest2.1.02.1.1 - npm
tailwindcss-fonttype-inter2.3.12.3.2 - npm
tailwindcss-fonttypo-inter2.3.2 - npm
tailwindcss-framer-motion1.1.3 - npm
tailwindcss-svg-helper1.17.91.18.0 - npm
test-prettier1.0.9 - npm
theta-connector1.0.0 - npm
theta-kit1.0.01.0.11.0.21.0.3 - npm
ts-bigtn1.3.11.3.2 - npm
ts-build-optimize1.1.51.1.61.2.01.2.11.2.2 - npm
ts-eslint-helper4.0.14.0.24.0.34.0.44.0.5 - npm
ts-eslinter1.0.0 - npm
ts-lint-builders1.0.5 - npm
ts-lint-builds1.0.5 - npm
ts-relayer-pub1.0.0 - npm
ts-webplug3.0.53.0.63.0.73.0.8 - npm
tsliverhome1.0.01.1.11.1.21.1.31.1.41.1.5 - npm
twcompose-utils0.7.60.7.7 - npm
txs-data1.0.1 - npm
typedecode1.0.11.0.21.0.3 - npm
unique-id-641.0.0 - npm
vite-config-field1.1.01.1.11.1.21.1.31.1.41.1.5 - npm
vite-plugin-compress-js0.5.40.5.50.5.60.5.7 - npm
vite-plugin-svg-paths1.1.51.1.61.1.71.1.81.1.9 - npm
web-pool2.3.5 - npm
webpack-cache-clean0.1.4 - npm
webpack-patch1.1.71.1.81.1.91.2.0 - npm
wime-zle1.1.4 - npm
windrule-utils0.0.1 - npm
winston-js-express1.0.01.0.31.0.41.0.51.0.61.0.71.1.11.1.2 - npm
winston-prism1.0.1 - npm
xnder-sdk-js0.1.0
npm-2026-07-06-ghsa-malware-sweepSource advisory - npm
- High4 Jul 20265 packages tracked
paperclip2 / vps-maintenance postinstall reverse shell to 185.112.147.174:7007
On 2026-07-04 the OX Research team disclosed npm packages —
paperclip2,vps-maintenance,vps-maintenance-paperclip-adapter— published by usersrm0rganthat hide apostinstallreverse shell to185.112.147.174:7007insidepackage.json.paperclip2ships with no JavaScript files at all, defeating static scanners that only inspect.js. Two follow-on names —paperclip-host-utilsandvps-adapter-core— landed 2026-07-07 and joined the same GHSA takedown.npmAffected packages5 packages · 14 versions
- npm
paperclip-host-utils1.0.01.0.21.0.31.0.41.0.51.0.61.0.7 - npm
paperclip21.0.0 - npm
vps-adapter-core1.0.01.0.11.0.2 - npm
vps-maintenance0.1.0 - npm
vps-maintenance-paperclip-adapter0.1.10.1.2
npm-2026-07-04-paperclip2-reverse-shellSource advisory - npm
- High3 Jul 202614 packages tracked
GitHub Advisory malware sweep — 14 npm packages (TypeScript/API util family, SQL/node-cloud scoped cluster, `@lodash-en` typosquat) taken down 2026-07-03
On 2026-07-03 GitHub's Advisory Database dropped 14 CWE-506 Embedded Malicious Code advisories against npm packages, all retired inside a ~30-minute window (15:36–16:06 UTC). The sweep spans three distinct micro-clusters: an unscoped
*-node-utils/*-api-*TypeScript/API-helper family (5 packages, 20+ versions), a SQL-and-cloud scoped cluster on personal namespaces (@sql-access/,@sqlite-node/,@sql-trigger/,@node-cloud/), and three miscellaneous typosquats including@lodash-en/lodash-en. npm replaced every name with0.0.1-security.npmAffected packages14 packages · 73 versions
- npm
@antoncarlos1/nodelamp1.0.01.0.1 - npm
@jacobtan/decode-sdk1.0.0 - npm
@lodash-en/lodash-en1.4.111.5.0 - npm
@node-cloud/create1.0.01.0.11.0.21.0.31.0.41.0.51.0.6 - npm
@sql-access/nodesql1.0.01.0.31.0.51.0.61.0.71.0.81.0.91.1.01.1.11.1.21.1.31.1.41.1.51.1.61.1.71.1.81.1.9 - npm
@sql-trigger/nodesql1.0.01.0.11.0.2 - npm
@sqlite-node/createsql1.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.11.1.21.1.31.1.41.1.51.1.7 - npm
alder_morrgan1.0.01.0.1 - npm
api-node-utils2.2.4 - npm
api-ts-utils1.0.02.1.32.1.43.2.13.2.23.4.73.4.83.4.93.5.9 - npm
decode-sdks1.0.01.0.11.0.21.0.3 - npm
ts-node-utils8.0.18.0.48.0.6 - npm
typescript-util-core3.5.07.1.37.1.57.1.6 - npm
web-api-node1.3.21.3.3
npm-2026-07-03-ghsa-malware-sweepSource advisory - npm
- Critical3 Jul 20266 packages tracked
JFrog: Lazarus / OtterCookie `rollup-*-polyfill-core` npm campaign — 6 packages steal AI-coder credentials, browser data and crypto wallets
JFrog Security Research disclosed a 6-package DPRK / Contagious Interview npm campaign that mimics the legitimate
rollup-plugin-polyfill-nodeproject down to its metadata. First-stage packages carry a base64-encodednpm installthat fetches an SVG-utility-shaped second stage; the second stage evaluates a payload pulled from JSONKeeper and steals credentials for AWS, Azure, Google Gemini, Anthropic Claude, Windsurf, Cursor, VS Code, SSH and Zsh, plus browser data and crypto wallets. Two of the first-stage packages are STILL live on npm as of 2026-07-04.npmAffected packages6 packages · 37 versions
- npm
quirky-token1.0.01.0.11.0.2 - npm
react-icon-svgs1.0.01.0.11.0.22.15.3 - npm
rollup-packages-polyfill-core0.0.00.5.00.12.30.13.00.13.10.13.20.13.30.13.40.13.50.13.60.13.70.13.8 - npm
rollup-plugin-polyfill-connect1.0.11.0.21.0.3 - npm
rollup-runtime-polyfill-core0.0.10.12.50.13.00.13.10.13.20.13.30.13.40.13.50.13.60.13.70.13.80.13.90.14.0 - npm
swift-parse-stream1.0.01.0.2
npm-2026-07-03-jfrog-lazarus-rollup-polyfill-ottercookieSource advisory - npm
- High2 Jul 20269 packages tracked
GitHub Advisory malware sweep — 9 npm packages (tailwind/animate typosquats, db-* cluster, `vitest-agent`) taken down 2026-07-02
On 2026-07-02 GitHub's Advisory Database dropped 9 CWE-506 Embedded Malicious Code advisories against npm packages published between 2026-05-24 and 2026-07-01. Three distinct micro-clusters were retired within minutes of each other: a Tailwind/animate typosquat trio (
animatecss-postcss-plugin,tailwind-animates,tailwind-typography-stylecss), adb-*/cache-*fake-utility quartet, and the standalonevitest-agentVitest typosquat plus one scoped React Native template. npm replaced every name with a0.0.1-securityholding tarball.npmAffected packages9 packages · 22 versions
- npm
@modhamanish/rn-mm-template1.0.11.0.21.0.31.0.41.0.51.1.01.1.11.1.21.1.3 - npm
animatecss-postcss-plugin1.0.01.0.1 - npm
cache-section-helper1.0.7 - npm
db-connector-log1.0.01.0.1 - npm
db-convertor1.0.5 - npm
db-plog1.0.01.0.1 - npm
tailwind-animates1.0.1 - npm
tailwind-typography-stylecss0.8.3 - npm
vitest-agent1.0.01.0.51.0.6
npm-2026-07-02-ghsa-malware-sweepSource advisory - npm
- High1 Jul 20263 packages tracked
`clx-cookieparser` + `clx-cookie-signature` cookie-parser impersonators — DGA-driven RAT dropper cluster (GHSA dropped 2026-06-29, updated 2026-07-01)
clx-cookieparser(7 versions1.4.4–1.5.1) andclx-cookie-signature@1.2.1impersonate Express'scookie-parser/cookie-signature. Both hide a dropper that XOR-derives a C2 IP from key0x496AAC7E, then fetches andevalsstartup.js— no install hook, execution fires on first API call. GHSA-jpg2-3r22-63v7 / GHSA-vwwm-x6xj-cfmf, refreshed 2026-07-01.npmAffected packages3 packages · 14 versions
- npm
clx-cookie-signature1.2.1 - npm
clx-cookieparser1.4.41.4.51.4.61.4.71.4.81.4.91.5.1 - npm
express-cookie-parser1.4.71.4.81.4.91.4.101.4.111.4.12
npm-2026-07-01-clx-cookie-dga-dropperSource advisory - npm
- High1 Jul 20268 packages tracked
`@marketfront` dependency-confusion Wave 4 — 25 npm packages batch-published at `7.0.0` reuse the "Internal package — Platform Engineering Team" lure
On 2026-07-01 22:59 UTC the npm account
marketfrontcreated the@marketfrontscope and batch-published 25 e-commerce / marketing-frontend packages in a ~3-minute window, all at version7.0.0. Every package carries a postinstall credential-file harvester (~20 secret files including~/.ssh,~/.aws/credentials,~/.kube/config,~/.npmrc,~/.env) and the identical README lure "Internal package — Platform Engineering Team" — Wave 4 of the SafeDep-trackedoob.moika.techoperator lineage.npmAffected packages8 packages · 8 versions
- npm
@marketfront/bannerpopup7.0.0 - npm
@marketfront/customdealsfeed7.0.0 - npm
@marketfront/designsystemdevtool7.0.0 - npm
@marketfront/fashiononboardingpopup7.0.0 - npm
@marketfront/footer7.0.0 - npm
@marketfront/header7.0.0 - npm
@marketfront/livestreampreviewpopup7.0.0 - npm
@marketfront/navbar7.0.0
npm-2026-07-01-marketfront-dep-confusion-wave4Source advisory - npm
- High1 Jul 20264 packages tracked
ChocoPoC — trojanized CVE PoC repos deliver ChocoPoC RAT via malicious PyPI packages frint / skytext (Mapbox dataset dead-drop C2)
Joint Sekoia / YesWeHack disclosure on 2026-07-01: at least seven trojanized CVE proof-of-concept repositories on GitHub silently pull the malicious PyPI package
frint, which depends onskytext.skytextships a precompiled native extension (gradient.so/gradient.pyd) that deploys "ChocoPoC" — a Python RAT with shell/Python command execution, browser-credential theft, and Mapbox Dataset API dead-drop C2. Targets vulnerability researchers and pentesters cloning PoC repos. ~2,400 downloads ofskytextbefore takedown.PyPIAffected packages4 packages · 0 versions
- PyPI
frint - PyPI
logcrypt.cryptography - PyPI
skytext - PyPI
slogsec
pypi-2026-07-01-chocopoc-frint-skytextSource advisory - PyPI
- High30 Jun 202618 packages tracked
GitHub Advisory malware sweep — 20+ npm packages (chai-as-*, brock-*, rebrandly-*, dep-confusion + typosquat batch) taken down 2026-06-30
On 2026-06-30 GitHub's Advisory Database dropped a coordinated batch of ~25 CWE-506 Embedded Malicious Code advisories against unrelated npm packages published between 2026-05-27 and 2026-06-30. The batch mixes at least four distinct sub-clusters:
chai-as-persisted/chai-as-assured(Chai typosquats),brock-loader/brock-react-alerts(with a9999.0.0dep-confusion tag), therebrandly-domains-*pair (both9999.0.0), and a wider fan-out of standalone malicious names.npmAffected packages18 packages · 43 versions
- npm
agent-starter-pack0.0.1 - npm
brock-loader1.9.9 - npm
brock-react-alerts1.99.999999.0.0 - npm
chai-as-assured6.0.47.1.2 - npm
chai-as-persisted4.2.86.1.9 - npm
confluent-kafka-javascript0.0.1 - npm
endpointmap2.1.03.0.0 - npm
nbmolviz-js0.0.1 - npm
postcss-property-rollup0.0.1 - npm
procwire1.3.02.0.0 - npm
quoting0.1.0 - npm
rebrandly-domains-digger9999.0.0 - npm
rebrandly-domains-search-client9999.0.0 - npm
rs-biginteger6.1.36.1.5 - npm
setup-cicd0.0.1 - npm
terminal-prettier1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.11.1.21.1.31.1.41.1.51.1.61.1.71.1.81.1.9 - npm
ts-lint-builders-v2.12.1.0 - npm
ts-linting-builder2.1.2
npm-2026-06-30-ghsa-malware-sweepSource advisory - npm
- High30 Jun 202621 packages tracked
GHSA-flagged malware brands — 16 autotel-*, 4 awaitly-*, and `ai-sdk-ollama` packages (Nov 2025–Jun 2026) marked embedded-malicious-code on 2026-06-29/30
GitHub's Advisory Database dropped CWE-506 (Embedded Malicious Code) records on 2026-06-29 and 2026-06-30 against 21 npm "brand" packages built up over months: the entire
autotel-*observability family (16 packages, 400+ versions), theawaitlypromise-utility family (4 packages, ~180 versions), and theai-sdk-ollamaVercel AI-SDK typosquat (55 versions). Every published version of every listed package is now classified as malware.npmAffected packages21 packages · 939 versions
- npm
ai-sdk-ollama0.1.00.2.00.3.00.4.00.5.00.5.10.5.20.5.30.5.40.5.50.6.00.6.10.6.20.7.00.8.00.8.10.9.00.10.00.10.10.11.00.12.00.13.00.13.11.0.01.0.11.0.21.1.01.1.12.0.02.0.12.1.02.2.02.2.13.0.03.0.13.1.03.1.13.2.03.3.03.4.03.5.03.6.03.7.03.7.13.8.03.8.13.8.23.8.33.8.43.8.53.8.63.8.73.8.84.0.04.0.0-beta.0 - npm
autotel-backends2.0.12.1.02.2.02.2.12.2.22.2.32.2.42.2.52.2.62.3.02.3.12.4.02.4.12.5.02.5.12.6.02.7.02.7.12.7.22.8.02.8.12.8.22.8.32.8.42.9.02.9.12.10.02.11.02.11.12.11.22.11.32.11.42.12.02.12.12.12.22.12.32.12.42.12.52.12.62.12.72.12.82.12.92.12.102.12.132.12.142.12.152.12.162.12.172.12.182.12.192.12.202.12.212.12.222.12.232.12.242.12.252.12.262.12.272.12.282.12.292.12.302.12.312.12.322.12.332.12.342.12.352.12.36 - npm
autotel-cli0.1.00.4.00.4.10.4.20.5.00.6.00.7.00.7.10.8.00.8.10.8.20.8.30.8.40.8.60.8.70.8.80.8.90.8.100.8.110.8.120.8.130.8.140.8.150.9.00.9.10.10.00.11.0 - npm
autotel-drizzle0.0.10.0.20.0.30.0.40.0.50.0.60.0.70.0.80.0.90.0.100.0.110.0.140.0.150.0.160.0.170.0.180.0.190.0.200.0.210.0.220.0.230.0.240.0.250.0.260.0.270.0.280.0.290.0.300.0.310.0.320.0.330.0.340.0.350.0.360.0.37 - npm
autotel-eventcatalog1.0.01.0.12.0.02.0.13.0.03.0.14.0.04.0.14.0.25.0.05.0.15.0.26.0.07.0.08.0.09.0.010.0.011.0.0 - npm
autotel-hono0.1.00.1.10.1.20.2.00.3.00.3.10.3.20.3.30.3.40.4.00.4.10.4.20.4.30.4.40.4.50.4.60.4.70.4.80.4.90.4.100.4.130.4.140.4.150.4.160.4.170.4.180.4.190.4.200.4.210.4.220.4.230.4.240.4.250.4.260.4.270.4.280.4.290.4.300.4.310.4.320.4.330.4.340.4.350.4.36 - npm
autotel-mcp0.1.10.1.20.1.30.1.40.1.70.1.80.1.90.1.100.1.110.1.120.1.130.1.140.1.150.1.162.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.0.110.0.010.0.111.0.011.0.113.0.013.0.114.0.014.0.115.0.015.0.115.0.216.0.016.0.117.0.017.0.117.0.218.0.018.0.119.0.019.0.120.0.020.0.121.0.021.1.021.1.122.0.022.0.123.0.023.0.124.0.024.0.125.0.025.0.126.0.026.0.126.0.227.0.027.0.128.0.028.0.128.0.228.0.329.0.029.0.1 - npm
autotel-mcp-instrumentation29.0.029.0.129.0.230.0.030.0.330.0.430.0.531.0.031.0.132.0.032.0.133.0.033.0.133.0.234.0.034.0.134.0.235.0.036.0.037.0.038.0.039.0.040.0.0 - npm
autotel-mongoose0.0.10.0.20.0.31.0.01.0.11.0.22.0.02.0.32.0.42.0.53.0.03.0.14.0.04.0.15.0.05.0.15.0.26.0.06.0.16.0.27.0.08.0.08.1.09.0.010.0.010.1.010.1.111.0.012.0.0 - npm
autotel-pact0.2.00.2.10.2.21.0.01.0.11.0.21.0.31.0.42.0.03.0.04.0.05.0.06.0.07.0.07.0.17.0.2 - npm
autotel-playwright0.1.00.2.00.2.10.3.00.4.00.4.10.4.20.4.30.4.40.4.50.4.60.4.70.4.80.4.90.4.100.4.110.4.120.4.130.4.140.4.150.4.160.4.190.4.200.4.210.4.220.4.230.4.240.4.250.4.260.4.270.4.280.4.290.4.300.4.310.4.320.4.330.4.340.4.350.4.360.4.370.4.380.4.390.4.400.4.410.4.42 - npm
autotel-plugins0.4.00.5.00.6.00.6.10.6.20.6.30.6.40.6.50.6.60.7.00.7.10.8.00.8.10.9.00.9.10.10.00.11.00.11.10.11.20.12.00.12.10.13.00.14.00.14.10.15.00.15.10.16.00.17.00.18.00.18.10.18.20.18.30.19.00.19.10.19.20.19.30.19.40.19.50.19.60.19.70.19.80.19.90.19.100.19.130.19.140.19.150.19.160.19.170.19.180.19.190.19.200.19.210.19.220.19.230.19.240.19.250.19.260.19.270.19.280.19.290.19.300.19.310.19.320.19.330.19.340.19.350.19.36 - npm
autotel-sentry0.1.00.1.10.1.20.2.00.3.00.4.00.4.10.4.20.4.30.5.00.5.10.5.20.5.30.5.40.5.50.5.60.5.70.5.80.5.100.5.110.5.120.5.130.5.140.5.150.5.160.5.17 - npm
autotel-subscribers4.0.04.1.04.1.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.0.110.0.010.0.111.0.011.0.112.0.012.0.113.0.013.0.114.0.014.1.014.1.115.0.015.0.116.0.016.0.116.0.217.0.017.0.118.0.018.0.118.0.218.0.319.0.019.0.120.0.020.0.121.0.021.0.122.0.022.0.122.0.223.0.023.0.123.0.224.0.024.0.125.0.025.0.126.0.026.0.127.0.027.0.127.0.228.0.028.0.128.0.229.0.029.0.129.0.229.0.329.0.429.0.529.0.630.0.030.0.130.0.230.0.330.0.431.0.031.0.331.0.431.1.031.1.131.1.231.1.331.1.432.0.032.0.132.1.033.0.034.0.034.1.034.1.135.0.035.0.135.0.236.0.037.0.038.0.039.0.040.0.041.0.041.0.141.0.2 - npm
autotel-tanstack1.1.01.2.01.2.11.4.01.4.11.4.21.5.01.5.11.6.01.7.01.7.11.7.21.8.01.8.11.8.21.8.31.8.41.9.01.9.11.10.01.11.01.12.01.12.11.12.21.12.31.13.01.13.11.13.21.13.31.13.41.13.51.13.61.13.71.13.81.13.91.13.101.13.111.13.141.13.151.13.161.13.171.13.181.13.191.13.201.13.211.13.221.13.231.13.241.13.251.13.261.13.271.13.281.13.291.13.301.13.311.13.321.13.331.13.341.13.351.13.361.13.371.13.38 - npm
autotel-vitest0.1.00.2.00.3.00.3.10.3.20.3.30.3.40.3.50.4.00.4.10.4.20.4.30.4.40.4.50.4.60.4.70.4.80.4.90.4.100.4.130.4.140.4.150.4.160.4.170.4.180.4.190.4.200.4.210.4.220.4.230.4.240.4.250.4.260.4.270.4.280.4.290.4.300.4.310.4.320.4.330.4.340.4.350.4.36 - npm
autotel-web1.1.01.2.01.4.01.4.11.5.01.6.01.6.11.7.01.7.11.8.01.9.01.10.01.10.11.11.01.11.11.11.21.11.51.11.61.12.01.12.11.12.21.12.31.12.41.12.5 - npm
awaitly1.0.01.1.01.2.01.3.01.4.01.5.01.5.11.6.01.7.01.8.01.9.01.10.01.11.01.12.01.13.01.14.01.15.01.16.01.17.01.18.01.19.01.20.01.21.01.22.01.23.01.24.01.25.01.26.01.27.01.28.01.29.01.30.01.31.01.31.11.32.01.32.11.33.01.33.11.33.21.33.31.33.41.34.0 - npm
awaitly-analyze0.10.10.11.00.12.00.12.10.12.20.13.00.14.00.14.10.15.00.16.00.17.00.18.00.19.00.20.00.21.00.22.00.22.10.23.00.23.10.23.20.23.40.24.00.24.10.24.20.24.30.25.00.25.11.0.01.1.01.1.12.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.1 - npm
awaitly-libsql0.1.00.1.11.0.01.0.12.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.0.110.0.010.0.111.0.011.0.112.0.012.0.113.0.013.0.114.0.014.0.115.0.015.0.116.0.016.0.117.0.017.0.118.0.018.1.018.1.119.0.019.0.120.0.020.0.121.0.021.0.122.0.022.0.122.0.223.0.0 - npm
awaitly-mongo0.1.00.1.11.0.01.0.12.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.1.09.1.110.0.010.0.111.0.011.0.112.0.012.0.113.0.013.0.114.0.014.0.115.0.015.0.116.0.016.0.117.0.017.0.118.0.018.0.119.0.019.1.019.1.120.0.020.0.121.0.021.0.122.0.022.0.123.0.023.0.123.0.224.0.0
npm-2026-06-30-autotel-awaitly-brand-takedownSource advisory - npm
- High29 Jun 202610 packages tracked
Internal-scope dependency-confusion cluster (Deel, Webda, Citi, BSCom, TiVo, CSEO-HR, +) taken down 2026-06-29
Between 2026-04-27 and 2026-05-31, ten npm packages impersonating internal corporate scopes — Deel, Webda, Citi ICG, BSCom, TiVo, CSEO-HR, Concerns, Via City Tools, WM — were published at
99.9.1to win dependency-confusion resolution against the matching private mirrors. npm support unpublished the whole batch on 2026-06-29 between 16:46 and 16:52 UTC and replaced them with0.0.1-securityholders; GHSA records dropped the same day.npmAffected packages10 packages · 10 versions
- npm
@bscom/styling99.9.1 - npm
@citi-icg-171632/citicms-repo-component99.9.1 - npm
@concerns/i18n99.9.1 - npm
@cseo-hr/trpweb-shared99.9.1 - npm
@deel-ui/animation99.9.1 - npm
@webd-infra/query-designer-domain99.9.1 - npm
@webda-infra-ui/static-images99.9.1 - npm
tivo-codelib-a99.9.1 - npm
via-city-tools-m-particle99.9.1 - npm
wm-mapper99.9.1
npm-2026-06-29-internal-scope-dep-confusion-clusterSource advisory - npm
- High28 Jun 20262 packages tracked
`@thone33/core-utils` + `@thone33/analytics-injector` — production-gated c2-stager loader fetched from a GitHub repo
On 2026-06-28 17:08–17:42 UTC the npm account
thone33(gptconta847@gmail.com) published two collaborating packages:@thone33/analytics-injector(1.0.0,1.0.1) that fetches attacker JavaScript fromraw.githubusercontent.com/Dennisfrr/c2-stager/main/the%20assessment.jsand passes the response directly toeval; and@thone33/core-utils(1.0.0–1.0.5) that depends on@thone33/analytics-injector: ^1.0.0and conditionally activates it only whenNODE_ENV === 'production'— local dev and CI tests appear clean while production runtimes execute the c2-stager.npmAffected packages2 packages · 8 versions
- npm
@thone33/analytics-injector1.0.01.0.1 - npm
@thone33/core-utils1.0.01.0.11.0.21.0.31.0.41.0.5
npm-2026-06-28-thone33-c2-stager-clusterSource advisory - npm
- High27 Jun 20262 packages tracked
`chai-as-persisted` + `chai-as-assured` — jsonspack DPRK campaign restarts with chai-as-* typosquat install-time RCE dropper
On 2026-06-26 → 2026-06-28 the same DPRK-linked operator behind the March jsonspack npm campaign restarted with
chai-as-persistedandchai-as-assured— typosquats ofchai-as-promisedthat ship install-time RCE droppers. Four versions across the two packages were published with the samehello@jsonspack.comauthor bug URL, fetching attacker JavaScript fromipregionchecker.orgvianew Function.constructoron everynpm install.npmAffected packages2 packages · 4 versions
- npm
chai-as-assured7.1.26.0.4 - npm
chai-as-persisted4.2.86.1.9
npm-2026-06-27-chai-as-persisted-jsonspackSource advisory - npm
- High27 Jun 20262 packages tracked
`crossmint-wallets-sdk` + `@epsteinlovekids483/crossmint-wallets-sdk-pentest` — install-time wallet/credential exfil via Crossmint SDK impersonators
Between 2026-06-26 13:44 UTC and 2026-06-27 03:09 UTC the npm account
epsteinlovekids483published two impersonators of the legitimate@crossmint/wallets-sdk: a scoped@epsteinlovekids483/crossmint-wallets-sdk-pentest(8 rapid versions) that onrequire()exfiltrates AWS keys, SSH keys, npm tokens,gh auth token, and Solana keypairs to a127.0.0.1:8052/exfilloopback C2; and the unscopedcrossmint-wallets-sdk@1.0.0that firespreinstallandinstalllifecycle scripts to capture host identifiers and POST them to an attacker-controlled endpoint. Both are flagged by CIRCL as MAL-2026-6522 and MAL-2026-6545.npmAffected packages2 packages · 9 versions
- npm
@epsteinlovekids483/crossmint-wallets-sdk-pentest1.0.0-pentest1.0.1-pentest1.0.2-pentest1.0.5-pentest1.0.7-pentest1.0.9-pentest1.0.11-pentest1.0.11 - npm
crossmint-wallets-sdk1.0.0
npm-2026-06-27-crossmint-wallets-sdk-impersonatorSource advisory - npm
- Critical27 Jun 20263 packages tracked
`ts-einkle` + `ts-ankle` + `ts-einkle-slot` — crypto-wallet drainer / SSH backdoor / big.js typosquat cluster
Between 2026-06-26 and 2026-06-27 a single naming-cluster operator published three new malicious npm packages —
ts-einkle(5 versions),ts-einkle-slot(5 versions), andts-ankle(1 version). All three execute install-time payloads:ts-einkleis a full credential and crypto-wallet stealer exfiltrating todatasecure-service.vercel.app/api/v1;ts-anklerecursively walks the home directory for credential files and installs an SSH public key in~/.ssh/authorized_keys;ts-einkle-slottyposquatsbig.jsand shadow-loadsnode-sloton everyrequire(). npm-support replaced all three with0.0.1-securityholders on 2026-06-29.npmAffected packages3 packages · 10 versions
- npm
ts-ankle1.1.0 - npm
ts-einkle1.0.91.1.01.1.21.1.3 - npm
ts-einkle-slot0.0.80.0.90.1.00.1.10.1.2
npm-2026-06-27-ts-einkle-ankle-wallet-clusterSource advisory - npm
- High27 Jun 20261 package tracked
`polymarket-clob-math` — Polymarket SDK impersonator with Vercel-hosted unsigned tarball loader
On 2026-06-27 17:20 UTC an operator published
polymarket-clob-math@1.0.4to npm — an impersonator of the legitimate@polymarket/clob-clientmath helper. Apostinstallscript fetches a JSON config from an unverified Vercel domain (PSM_PEER_URL), downloads and extracts an unpinned mutable tarball whose contents the operator can swap at will, and executes the resulting attacker JavaScript on the installer. Internal references (peer-math.js,syncSession) masquerade it as a benign dependency-sync mechanism. npm-support replaced1.0.4with a0.0.1-securityholder on 2026-06-29.npmAffected packages1 package · 1 version
- npm
polymarket-clob-math1.0.4
npm-2026-06-27-polymarket-clob-math-vercel-loaderSource advisory - npm
- High27 Jun 20262 packages tracked
`livekit-agents` (npm) + `skillspector` (PyPI) — coordinated multi-ecosystem typosquat exfiltrating to `livekit-agents.xyz`
Between 2026-06-27 and 2026-06-28 a single operator published a coordinated multi-ecosystem typosquat campaign exfiltrating to the lookalike domain
livekit-agents.xyz. Unscopedlivekit-agentson npm (10 versions, four of them flagged malicious) impersonates the LiveKit Agents SDK while beaconing host telemetry. The PyPI packageskillspector(8 versions) — an unauthorized fork of a legitimate Nvidia project — exfiltrates every CLI argument tohttps://livekit-agents.xyz/skillspector-telemetry. The shared lookalike domain ties both packages to the same operator.npmPyPIAffected packages2 packages · 12 versions
- npm
livekit-agents0.3.00.3.10.3.20.3.4 - PyPI
skillspector0.0.10.0.20.0.30.0.42.3.72.3.82.3.92.3.10
multi-2026-06-27-livekit-agents-skillspector-typosquatSource advisory - npm
- High26 Jun 20261 package tracked
`tw-style-utils` — SStar Agent cross-platform RAT delivered via Tailwind Typography typosquat
tw-style-utilsmasqueraded as a Tailwind CSS typography plugin (99% of its code copied from@tailwindcss/typography) while ~5KB of top-level IIFE downloader code installed SStar Agent, a Windows/macOS RAT with keyboard/clipboard hooks and exfiltration capability. Two versions (0.7.0,0.7.1) were live on npm from 2026-05-26 17:19 UTC; npm yanked the package and replacedlatestwith a0.0.1-securityholder on 2026-06-26 05:17 UTC, and GitHub publishedGHSA-75cr-ggc5-8h7gthe same day.npmAffected packages1 package · 2 versions
- npm
tw-style-utils0.7.00.7.1
npm-2026-06-26-sstar-tw-style-utilsSource advisory - npm
- High26 Jun 20264 packages tracked
npm typosquat sweep — `pump-stream-logger`, `pump-laserstream-parser`, `pino-zod`, `rollup-plugin-polyfill-connect` yanked
On 2026-06-26 npm yanked four malicious typosquat packages within hours of each other —
pump-stream-logger,pump-laserstream-parser, andpino-zodwere taken down within a 10-second window at 05:10 UTC, androllup-plugin-polyfill-connectfollowed at 12:16 UTC. All four are GHSA-classified as CWE-506 Embedded Malicious Code; the package names target the Helius Solana streaming SDK, the Pino logger family, the Zod validation library, and therollup-plugin-polyfill-nodeRollup plugin.npmAffected packages4 packages · 7 versions
- npm
pino-zod1.0.1211.0.122 - npm
pump-laserstream-parser2.0.0 - npm
pump-stream-logger1.0.0 - npm
rollup-plugin-polyfill-connect1.0.11.0.21.0.3
npm-2026-06-26-pump-pino-rollup-typosquat-sweepSource advisory - npm
- High25 Jun 20261 package tracked
`@vpms/design-system` — internal-scope dependency-confusion with preinstall env-var exfil to Pipedream
On 2026-06-25 between 15:52 UTC and 17:14 UTC, an operator published four versions of
@vpms/design-system(0.1.3,1.0.0,1.0.1,1.1.2) as a dependency-confusion attack against the internal@vpmsscope. The preinstall script iteratesprocess.envand harvests every variable whose name containsSECRET,TOKEN,PASSWORD,KEY, orCREDENTIAL, along with hostname, username, and process details, then exfiltrates the payload to a hardcoded Pipedream webhook ateov0bmnid410yqf.m.pipedream.net. npm-support replaced all four versions with a0.0.1-securityholder on 2026-06-29.npmAffected packages1 package · 4 versions
- npm
@vpms/design-system0.1.31.0.01.0.11.1.2
npm-2026-06-25-vpms-design-system-pipedreamSource advisory - npm
- Critical24 Jun 20261 package tracked
codfish/semantic-release-action — 16 tags retargeted to Miasma imposter commit
On 2026-06-24 at 15:39:06 UTC an attacker force-pushed two imposter commits to
codfish/semantic-release-actionand repointed 16 tags — including the floating majorsv2,v3,v4,v5— to them. Any workflow pinned by tag pulls 781,580 bytes of obfuscated JavaScript that searches GitHub commit-search for thethebeautifulsnadsoftimeMiasma dead-drop channel andeval()s any signed payload, exfiltratingGITHUB_TOKENandNPM_TOKENfrom release workflows.GitHub ActionsAffected packages1 package · 14 versions
- GitHub Actions
codfish/semantic-release-actionv2v2.2.1v3v3.0.0v3.1.0v3.2.0v3.3.0v3.4.0v3.5.0v4v4.0.0v4.0.1v5v5.0.0
github-actions-2026-06-24-codfish-semantic-release-action-hijackSource advisory - GitHub Actions
- Critical24 Jun 20262 packages tracked
Leo Platform / RStreams — czirker maintainer account hijacked, 20 npm packages backdoored in 3 seconds
On 2026-06-24 at 23:04:55 UTC an attacker used the compromised
czirkernpm maintainer account to publish malicious versions of 20 Leo Platform / RStreams packages in a sub-3-second automated burst. Each tarball ships a weaponisedbinding.gypthat hides anode-gypcommand-substitution payload — the same "Phantom Gyp" hook used in the 2026-06-01 Miasma@redhat-cloud-servicesworm — running a Bun-runtime credential stealer (the Shai-Hulud "Hades" payload) that exfiltrates AWS/GCP/Azure/Kubernetes/Vault/npm/PyPI/GitHub/1Password secrets via the victim's own GitHub token.npmAffected packages2 packages · 2 versions
- npm
leo-logger1.0.8 - npm
leo-sdk6.0.19
npm-2026-06-24-leo-platform-miasma-hadesSource advisory - npm
- High22 Jun 20263 packages tracked
PostCSS lookalike npm typosquats deliver multi-stage Windows RAT (abdrizak / JFrog)
JFrog disclosed three malicious npm packages published by the
abdrizakaccount that masquerade aspostcss-selector-parsertooling. An AES-256-GCM-encrypted blob drops a PowerShell stager which fetches a Windows RAT fromnvidiadriver[.]net, persists via the registry, and beacons over encrypted HTTP to95.216.92.207:8080to steal Chrome credentials and run remote-shell / file-transfer commands.npmAffected packages3 packages · 33 versions
- npm
aes-decode-runner-pro1.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.11 - npm
postcss-minify-selector0.1.20.1.30.1.40.1.50.1.60.1.70.1.80.1.90.1.100.1.112.0.12.0.2 - npm
postcss-minify-selector-parser1.0.111.0.121.0.131.0.141.0.151.0.161.0.171.0.182.0.12.0.2
npm-2026-06-22-postcss-rat-typosquat-jfrogSource advisory - npm
- High18 Jun 20268 packages tracked
`parket-helper` / `ts-ecro` big.js typosquat dropper cluster
A cluster of npm typosquats impersonating
big.jsshipped verbatim copies of the legitimate library with a single added five-line require ofparket-helper/parket-slot/new-solt— three otherwise-empty utility packages whose entire purpose is to execute attacker-controlled JavaScript at import time. GitHub and npm flagged the eight packages and replaced them with0.0.1-securityholders between 2026-06-18 and 2026-06-19.npmAffected packages8 packages · 16 versions
- npm
new-ecro0.0.60.0.70.0.9 - npm
new-solt0.0.70.0.80.0.9 - npm
parket-helper0.0.15.8.1 - npm
parket-slot0.0.6 - npm
ts-big-ecro0.1.03.8.1 - npm
ts-ecro0.0.50.0.6 - npm
ts-ecro-helper0.0.15.8.0 - npm
ts-esys0.0.5
npm-2026-06-18-parket-ecro-bigjs-typosquat-dropperSource advisory - npm
- Critical18 Jun 20263 packages tracked
`node-ci-utils` / `win-env-setup` / `macos-ci-utils` npm droppers deliver the NastyC2 Rust post-exploitation framework
Three npm packages —
node-ci-utils@2.1.4,win-env-setup@3.0.5/3.0.6, andmacos-ci-utils@1.0.0/1.0.1— masqueraded as CI tooling while acting as cross-platform droppers for NastyC2, a previously undocumented Rust post-exploitation framework with 80+ commands comparable in scope to Cobalt Strike and Sliver. npm removed all three packages between 2026-06-01 and 2026-06-13; the public disclosure landed in The Hacker News ThreatsDay Bulletin on 2026-06-18.npmAffected packages3 packages · 5 versions
- npm
macos-ci-utils1.0.01.0.1 - npm
node-ci-utils2.1.4 - npm
win-env-setup3.0.53.0.6
npm-2026-06-18-nastyc2-rust-implant-droppersSource advisory - npm
- Critical17 Jun 202617 packages tracked
Mastra AI npm scope takeover via `easy-day-js` typosquat dropper
On 2026-06-17 between ~01:12 and 02:36 UTC, the dormant
ehinderocontributor account — never revoked from the@mastrascope — was used to mass-publish ~144 trojanised@mastra/*releases plusmastraandcreate-mastra, each declaring a neweasy-day-jsdependency whosepostinstallhook drops a cross-platform crypto-wallet stealer / RAT. Microsoft attributes the activity to Sapphire Sleet (BlueNoroff) with high confidence; combined exposure ~1.1M weekly downloads.npmAffected packages17 packages · 17 versions
- npm
@mastra/agent-browser0.3.2 - npm
@mastra/auth1.0.3 - npm
@mastra/core1.42.1 - npm
@mastra/evals1.3.1 - npm
@mastra/github-signals0.1.2 - npm
@mastra/loggers1.1.3 - npm
@mastra/mem00.1.14 - npm
@mastra/memory1.20.4 - npm
@mastra/node-audio0.1.8 - npm
@mastra/node-speaker0.1.1 - npm
@mastra/rag2.2.2 - npm
@mastra/react1.0.1 - npm
@mastra/schema-compat1.2.12 - npm
@mastra/voice-playai0.12.2 - npm
create-mastra1.13.1 - npm
easy-day-js1.11.22 - npm
mastra1.13.1
npm-2026-06-17-mastra-easy-day-jsSource advisory - npm
- Info16 Jun 20261 package tracked
`shai_hulululud`: first documented anti-AI-scanner protestware npm package
Socket flagged
shai_hulululud@1.0.48596(~9.3 MBindex.js, published 2026-06-16 by npm userptchli_knldg) — protestware whose only purpose is to probe and disrupt AI-based malware scanners. The tarball is a single JS file containing millions of repeated comments with prompt-injection content, fake system-override instructions, and context-flooding tokens. Runtime is inert; the payload is the source code itself, weaponised against any LLM-based scanner that ingests it.npmAffected packages1 package · 1 version
- npm
shai_hulululud1.0.48596
npm-2026-06-16-shai-hulululud-ai-scanner-protestwareSource advisory - npm
- Critical13 Jun 202611 packages tracked
Cyfirma multi-stage crypto-wallet campaign: moralis-sdk, ethers-jss, coinbase-wallet-utils, plus the `ethcompat` ethereum-C2 cluster
Cyfirma Research disclosed an 11-package npm campaign targeting Web3 / blockchain developers across three clusters: a YouTube-page-gated postinstall trojan in
moralis-sdk(2.7M+ downloads from the legitimate package name), theethers-jss/coinbase-wallet-utilsprivate-key sweepers (both yanked 2026-06-10), three long-lived typosquats (ganach,solidty,stelar-sdk, live since 2024), and theethcompat5-pack (hardhat-deploy-utils,web3-deploy-helper,defi-sdk-core,ethers-compat,ethereum-dev-utils) that AES-256-GCM-encrypts stolen creds and embeds them in Ethereum transactions to an attacker wallet.npmAffected packages11 packages · 12 versions
- npm
coinbase-wallet-utils1.0.0 - npm
defi-sdk-core1.0.0 - npm
ethereum-dev-utils1.0.0 - npm
ethers-compat1.0.0 - npm
ethers-jss6.13.1 - npm
ganach7.9.2 - npm
hardhat-deploy-utils1.0.0 - npm
moralis-sdk1.0.01.0.1 - npm
solidty0.0.1 - npm
stelar-sdk12.3.0 - npm
web3-deploy-helper1.0.0
npm-2026-06-13-cyfirma-moralis-ethcompat-clusterSource advisory - npm
- Critical12 Jun 20267 packages tracked
Solana FakeFix: JFrog flags 25 npm + PyPI packages stealing Solana keypairs and dev secrets to Telegram
JFrog Security Research disclosed
Solana FakeFix, a 25-package npm/PyPI campaign with two clusters: ~20 Solana typosquats / "stable-build" forks (solana-web3-stable,solana-rpc-client, …) promoted via GitHub issue spam by thePassWord1337account, and a 5-package CMS-themed Windows loader cluster (cms-storehub,cms-helpgit,cms-github,to-cms,shopifyto-cms). All variants exfiltrate Solana keypairs, SSH keys, cloud creds, and.envsecrets to a Telegram bot.npmAffected packages7 packages · 23 versions
- npm
cms-github4.2.4 - npm
cms-helpgit4.2.24.2.44.2.54.2.64.2.74.2.84.2.9 - npm
cms-storehub1.2.71.2.81.2.91.3.01.3.11.3.21.3.31.3.41.3.51.3.6 - npm
shopifyto-cms3.0.2 - npm
solana-rpc-client1.0.0 - npm
solana-web3-stable1.0.0 - npm
to-cms1.0.01.0.1
multi-2026-06-12-solana-fakefix-jfrogSource advisory - npm
- Critical11 Jun 20264 packages tracked
Atomic Arch: 400+ AUR packages hijacked to ship npm-delivered Rust stealer with eBPF rootkit
Sonatype-2026-003775 (2026-06-11) — attackers hijacked 400+ orphaned Arch User Repository packages and rewrote their PKGBUILDs to pull three malicious npm dependencies (
atomic-lockfile@1.4.2,js-digest@4.2.2,lockfile-js@1.4.2). Each drops a Rust ELF credential stealer, loads an eBPF rootkit hiding processes/files/sockets when run as root, persists via systemd, and exfiltrates over Tor onion C2.npmAffected packages4 packages · 4 versions
- npm
atomic-lockfile1.4.2 - npm
js-digest4.2.2 - npm
lockfile-js1.4.2 - npm
nextfile-js1.4.2
npm-2026-06-11-atomic-arch-aur-hijackSource advisory - npm
- Critical9 Jun 20261 package tracked
dbmux maintainer-account takeover: four backdoored versions seeded across two release branches
Between 2026-06-04 and 2026-06-05 the
dbmuxnpm maintainer account (bhagyamudgal) was hijacked and four backdoored releases were pushed across both the legacy1.xand current2.xbranches:1.0.5,1.0.6,2.2.4,2.2.5. GHSA-62wx-5f55-w8g2 (published 2026-06-09) classifies all four as CWE-506 embedded malicious code: any host that installed or executed them should be treated as fully compromised. npm deprecated every malicious release; the clean latest is2.2.3.npmAffected packages1 package · 4 versions
- npm
dbmux1.0.51.0.62.2.42.2.5
npm-2026-06-09-dbmux-maintainer-takeoverSource advisory - npm
- Critical9 Jun 20264 packages tracked
SeedSweep: 10-package npm crypto-wallet drainer published by `aicrypto-xzggg`
On 2026-06-09 between 03:23 and 03:57 UTC the brand-new npm account
aicrypto-xzggg(vipsyria88@gmail.com) shipped 10 Web3-flavoured packages —wallet-sdk-9,swap-sdk-87,defi-tools-39,farming-tools-12, and six others — each carrying an identicalpostinstallpayload that reads wallet keystores, seed-phrase files, SSH keys, and.envfiles across six chains and exfiltrates them to Telegram bot id8227918239. npm unpublished every release ~8 hours later. Disclosed by Xygeni as the SeedSweep campaign.npmAffected packages4 packages · 4 versions
- npm
defi-tools-394.26.29 - npm
farming-tools-124.68.54 - npm
swap-sdk-874.63.78 - npm
wallet-sdk-93.7.73
npm-2026-06-09-seedsweep-aicrypto-xzgggSource advisory - npm
- Critical5 Jun 202634 packages tracked
Hades / Shai-Hulud PyPI wave: bioinformatics, MCP typosquats, and the .pth + Bun startup payload
Between 2026-06-05 and 2026-06-08 the Shai-Hulud / Miasma operator hopped to PyPI as "Hades", trojanising ~33 packages across the
nanguagebioinformatics cluster (StepSecurity: 19 quarantined projects), monarch-initiative phenotype tooling, and MCP/Flask typosquats. Each ships a*-setup.pthstartup hook → Bun credential stealer with cross-platform memory scraping.PyPIAffected packages34 packages · 56 versions
- PyPI
bramin0.0.20.0.30.0.4 - PyPI
cmd2func0.2.20.2.3 - PyPI
coolbox0.4.10.4.2 - PyPI
dynamo-release1.5.4 - PyPI
embiggen0.11.97 - PyPI
ensmallen0.8.101 - PyPI
executor-engine0.3.40.3.5 - PyPI
executor-http0.1.30.1.4 - PyPI
funcdesc0.2.20.2.3 - PyPI
gpsea0.9.14 - PyPI
langchain-core-mcp1.4.21.4.3 - PyPI
magique0.6.80.6.9 - PyPI
magique-ai0.4.40.4.5 - PyPI
mflux-streamlit0.0.30.0.4 - PyPI
mrbios0.1.10.1.2 - PyPI
napari-ufish0.0.20.0.3 - PyPI
nhmpy0.0.1 - PyPI
nucbox0.1.20.1.3 - PyPI
okite0.0.70.0.8 - PyPI
openai-mcp2.41.12.41.2 - PyPI
pantheon-agents0.6.10.6.2 - PyPI
pantheon-toolsets0.5.50.5.6 - PyPI
phenopacket-store-toolkit0.1.7 - PyPI
ppkt2synergy0.1.1 - PyPI
pyphetools0.9.120 - PyPI
ray-mcp-server0.2.1 - PyPI
rlask0.0.1 - PyPI
rsquests0.0.1 - PyPI
spateo-release1.1.2 - PyPI
synago0.1.10.1.2 - PyPI
tiktoken-mcp0.13.10.13.2 - PyPI
tlask0.0.1 - PyPI
ufish0.1.20.1.3 - PyPI
uprobe0.1.30.1.4
pypi-2026-06-05-hades-shai-hulud-pypi-waveSource advisory - PyPI
- Critical4 Jun 20264 packages tracked
IronWorm: Rust-built npm worm with eBPF rootkit and Tor C2 hits 36+ Arweave/WeaveDB packages
JFrog disclosed on 2026-06-04 that a single compromised npm account (
asteroiddao, tied to Arweave/WeaveDB maintainerocrybit) was used to push malicious versions of 36+ packages carrying IronWorm — a Rust ELF infostealer that loads an eBPF rootkit, exfiltrates over Tor, harvests Exodus crypto wallets, and republishes itself via stolen npm OIDC trust.npmAffected packages4 packages · 4 versions
- npm
arnext0.1.5 - npm
atomic-notes0.5.3 - npm
roidjs0.1.7 - npm
weavedb-lite0.1.1
npm-2026-06-04-ironworm-arweave-weavedbSource advisory - npm
- Critical3 Jun 202626 packages tracked
Phantom Gyp Miasma worm hits @vapi-ai/server-sdk and the jagreehal portfolio via binding.gyp
Between 23:30 UTC on 2026-06-03 and ~01:30 UTC on 2026-06-04 the Miasma worm published a malicious 157-byte
binding.gyppayload through 57 npm packages and 286+ versions, starting at@vapi-ai/server-sdk(~408k weekly downloads) and cascading across the jagreehal maintainer'sautotel-*,awaitly-*,ai-sdk-*,executable-stories-*,node-env-resolver-*, andwrangler-deployportfolio. GitHub Advisories backfilled the full affected-version set across theautotel-*family and the widerawaitly-*portfolio on 2026-06-29 / 2026-06-30 (16 newautotel-*GHSAs plus expandedawaitly/awaitly-mongo/awaitly-libsql/awaitly-analyzeranges).npmAffected packages26 packages · 164 versions
- npm
@vapi-ai/server-sdk0.11.1 - npm
ai-sdk-ollama0.13.11.1.12.2.13.8.5 - npm
autotel-backends2.12.26 - npm
autotel-cli0.8.14 - npm
autotel-drizzle0.0.27 - npm
autotel-eventcatalog1.0.12.0.13.0.14.0.25.0.1 - npm
autotel-hono0.4.26 - npm
autotel-mcp0.1.142.0.13.0.14.0.15.0.16.0.17.0.18.0.19.0.110.0.111.0.113.0.114.0.115.0.216.0.117.0.218.0.119.0.120.0.121.1.122.0.123.0.124.0.125.0.126.0.227.0.128.0.329.0.1 - npm
autotel-mcp-instrumentation29.0.230.0.531.0.132.0.133.0.234.0.1 - npm
autotel-mongoose0.0.31.0.22.0.53.0.14.0.15.0.26.0.1 - npm
autotel-pact0.2.21.0.3 - npm
autotel-playwright0.4.32 - npm
autotel-plugins0.19.26 - npm
autotel-sentry0.5.13 - npm
autotel-subscribers4.1.15.0.16.0.17.0.18.0.19.0.110.0.111.0.112.0.113.0.114.1.115.0.116.0.217.0.118.0.319.0.120.0.121.0.122.0.223.0.224.0.125.0.126.0.127.0.228.0.229.0.630.0.431.1.4 - npm
autotel-tanstack1.13.27 - npm
autotel-vitest0.4.26 - npm
autotel-web1.12.2 - npm
awaitly1.33.3 - npm
awaitly-analyze0.24.21.1.12.0.13.0.14.0.15.0.16.0.17.0.18.0.1 - npm
awaitly-libsql0.1.11.0.12.0.13.0.14.0.15.0.16.0.17.0.18.0.19.0.110.0.111.0.112.0.113.0.114.0.115.0.116.0.117.0.118.1.119.0.120.0.121.0.122.0.1 - npm
awaitly-mongo0.1.11.0.12.0.13.0.14.0.15.0.16.0.17.0.18.0.19.1.110.0.111.0.112.0.113.0.114.0.115.0.116.0.117.0.118.0.119.1.120.0.121.0.122.0.123.0.1 - npm
awaitly-postgres0.1.11.0.12.0.13.0.24.0.15.0.16.0.17.0.18.0.19.0.110.0.111.0.112.0.1 - npm
awaitly-visualizer1.0.1 - npm
node-env-resolver6.5.1 - npm
wrangler-deploy1.5.5
npm-2026-06-03-phantom-gyp-vapi-jagreehalSource advisory - npm
- High3 Jun 20262 packages tracked
@sentry-internals / @sentry-browser-sdk profiling-node typosquat via forged Sentry events
On 2026-06-03 Nutrient (PSPDFKit) caught a novel two-stage attack: an attacker submitted forged Sentry events through a public browser DSN, displaying "remediation" runbook text that instructed responders (and AI agents) to run
npx @sentry-internals/profiling-node --diagnose. The typosquat — and its sibling@sentry-browser-sdk/profiling-node(v1.0.0–1.0.5) — exfiltrated env, working-directory, and dev-context data toadvisory-tracker.combefore npm replaced both with0.0.1-securityholders.npmAffected packages2 packages · 7 versions
- npm
@sentry-browser-sdk/profiling-node1.0.01.0.11.0.21.0.31.0.41.0.5 - npm
@sentry-internals/profiling-node1.0.0
npm-2026-06-03-sentry-profiling-typosquatSource advisory - npm
- High2 Jun 20261 package tracked
codexui-android exfiltrates OpenAI Codex refresh tokens for ~7 weeks before Aikido disclosure
Aikido disclosed on 2026-06-02 that every
codexui-androidnpm version from0.1.82(2026-04-13) through0.1.125silently exfiltrates the user's OpenAI Codexauth.json— access, refresh, and ID tokens — tosentry.anyclaw[.]store/startlog. The malicious code never appeared in the package's GitHub repository, and a companion Android app (50k+ installs) ships the same stealer.npmAffected packages1 package · 41 versions
- npm
codexui-android0.1.820.1.830.1.850.1.880.1.890.1.900.1.910.1.920.1.930.1.940.1.950.1.960.1.970.1.980.1.990.1.1000.1.1010.1.1020.1.1030.1.1040.1.1050.1.1060.1.1070.1.1080.1.1090.1.1100.1.1110.1.1120.1.1130.1.1140.1.1150.1.1160.1.1170.1.1180.1.1190.1.1200.1.1210.1.1220.1.1230.1.1240.1.125
npm-2026-06-02-codexui-android-openclawSource advisory - npm
- Critical1 Jun 202632 packages tracked
Miasma: @redhat-cloud-services Mini Shai-Hulud worm compromises 32 npm packages in 72 seconds
On 2026-06-01 an attacker published malicious versions of 32
@redhat-cloud-services/*npm packages in a 72-second window. The "Miasma" payload — a reskinned Mini Shai-Hulud worm — drops a preinstall script that runs a Bun-loaded credential stealer, harvests AWS/GCP/Azure/Kubernetes/Vault/GitHub/npm tokens, and exfiltrates to attacker-controlled GitHub repos taggedMiasma: The Spreading Blight.npmAffected packages32 packages · 95 versions
- npm
@redhat-cloud-services/chrome2.3.12.3.22.3.4 - npm
@redhat-cloud-services/compliance-client4.0.34.0.44.0.6 - npm
@redhat-cloud-services/config-manager-client5.0.45.0.55.0.7 - npm
@redhat-cloud-services/entitlements-client4.0.114.0.124.0.14 - npm
@redhat-cloud-services/eslint-config-redhat-cloud-services3.2.13.2.23.2.4 - npm
@redhat-cloud-services/frontend-components7.7.27.7.37.7.5 - npm
@redhat-cloud-services/frontend-components-advisor-components3.8.23.8.43.8.6 - npm
@redhat-cloud-services/frontend-components-config6.11.36.11.46.11.6 - npm
@redhat-cloud-services/frontend-components-config-utilities4.11.24.11.34.11.5 - npm
@redhat-cloud-services/frontend-components-notifications6.9.26.9.36.9.5 - npm
@redhat-cloud-services/frontend-components-remediations4.9.24.9.34.9.5 - npm
@redhat-cloud-services/frontend-components-testing1.2.11.2.21.2.4 - npm
@redhat-cloud-services/frontend-components-translations4.4.14.4.24.4.4 - npm
@redhat-cloud-services/frontend-components-utilities7.4.17.4.27.4.4 - npm
@redhat-cloud-services/hcc-feo-mcp0.3.10.3.20.3.4 - npm
@redhat-cloud-services/hcc-kessel-mcp0.3.10.3.20.3.4 - npm
@redhat-cloud-services/hcc-pf-mcp0.6.10.6.20.6.4 - npm
@redhat-cloud-services/host-inventory-client5.0.35.0.45.0.6 - npm
@redhat-cloud-services/insights-client4.0.44.0.54.0.7 - npm
@redhat-cloud-services/integrations-client6.0.46.0.56.0.7 - npm
@redhat-cloud-services/javascript-clients-shared2.0.82.0.92.0.11 - npm
@redhat-cloud-services/notifications-client6.1.46.1.56.1.7 - npm
@redhat-cloud-services/patch-client4.0.44.0.54.0.7 - npm
@redhat-cloud-services/quickstarts-client4.0.114.0.124.0.14 - npm
@redhat-cloud-services/rbac-client9.0.39.0.49.0.6 - npm
@redhat-cloud-services/remediations-client4.0.44.0.54.0.7 - npm
@redhat-cloud-services/rule-components4.7.24.7.34.7.5 - npm
@redhat-cloud-services/sources-client3.0.103.0.113.0.13 - npm
@redhat-cloud-services/topological-inventory-client3.0.103.0.113.0.13 - npm
@redhat-cloud-services/tsc-transform-imports1.2.21.2.41.2.6 - npm
@redhat-cloud-services/types3.6.13.6.23.6.4 - npm
@redhat-cloud-services/vulnerabilities-client2.1.92.1.11
npm-2026-06-01-miasma-redhat-cloud-servicesSource advisory - npm
- High28 May 202645 packages tracked
oob.moika.tech dependency-confusion campaign across nine npm scopes (mr.4nd3r50n / ce-rwb / t-in-one)
Between 2026-05-28 18:47 UTC and 2026-05-29 09:02 UTC a single operator using the npm aliases
mr.4nd3r50n,ce-rwb, andt-in-onepushed dependency-confusion packages across nine corporate-looking scopes (@cloudplatform-single-spa,@t-in-one,@ce-rwb,@wb-track,@data-science,@payments-widget,@travel-autotests,@capibar.chat,@sber-ecom-core). Postinstall stagers exfiltrateprocess.envtooob.moika[.]techwith a sharedX-Secretheader.npmAffected packages45 packages · 47 versions
- npm
@capibar.chat/ui-kit99.0.799.5.7 - npm
@ce-rwb/ce-tools-editor-admin3.5.22 - npm
@ce-rwb/ce-tools-editor-core3.5.22 - npm
@ce-rwb/ce-tools-editor-render3.5.22 - npm
@cloudplatform-single-spa/administration100.100.100 - npm
@cloudplatform-single-spa/arenadata-db100.100.100 - npm
@cloudplatform-single-spa/base-static-page100.100.100 - npm
@cloudplatform-single-spa/business-solutions100.100.100 - npm
@cloudplatform-single-spa/cloud-dns100.100.100 - npm
@cloudplatform-single-spa/cnapp-ui100.100.100 - npm
@cloudplatform-single-spa/cp-api-gw100.100.100 - npm
@cloudplatform-single-spa/datagrid100.100.100 - npm
@cloudplatform-single-spa/dataplatform100.100.100 - npm
@cloudplatform-single-spa/dataplatform-metastore100.100.100 - npm
@cloudplatform-single-spa/dataplatform-trino100.100.100 - npm
@cloudplatform-single-spa/employees100.100.100 - npm
@cloudplatform-single-spa/enterprise100.100.100 - npm
@cloudplatform-single-spa/floating-ips100.100.100 - npm
@cloudplatform-single-spa/logaas100.100.100 - npm
@cloudplatform-single-spa/marketplace-gigachat100.100.100 - npm
@cloudplatform-single-spa/ml-ai-agents-agent100.100.100 - npm
@cloudplatform-single-spa/ml-ai-agents-agent-system100.100.100 - npm
@cloudplatform-single-spa/monitoring100.100.100 - npm
@cloudplatform-single-spa/security-groups100.100.100 - npm
@cloudplatform-single-spa/ssh-keys100.100.100 - npm
@cloudplatform-single-spa/support100.100.100 - npm
@cloudplatform-single-spa/svp-baas100.100.100 - npm
@cloudplatform-single-spa/svp-interfaces100.100.100 - npm
@cloudplatform-single-spa/svp-s3-storage100.100.100 - npm
@cloudplatform-single-spa/vpn100.100.100 - npm
@data-science/llm3.5.22 - npm
@payments-widget/payments-widget-sdk3.5.22 - npm
@sber-ecom-core/sberpay-widget99.0.799.5.8 - npm
@t-in-one/add_app_middleware_token5.7.1 - npm
@t-in-one/add_application5.7.1 - npm
@t-in-one/add_application_service_token5.7.1 - npm
@t-in-one/add_application_tid5.7.1 - npm
@t-in-one/application_id_storage_key_token5.7.1 - npm
@t-in-one/form_product_token5.7.1 - npm
@t-in-one/get_application_hid5.7.1 - npm
@t-in-one/only_difference_payload5.7.1 - npm
@t-in-one/prefill_bundle_data_token5.7.1 - npm
@t-in-one/prefill_credit_data_token5.7.1 - npm
@travel-autotests/npm-proto3.5.22 - npm
@wb-track/shared-front3.5.22
npm-2026-05-28-moika-dependency-confusionSource advisory - npm
- High28 May 202614 packages tracked
vpmdhaj OpenSearch / ElasticSearch / DevOps typosquat burst (14 npm packages, Bun stager → cloud + CI/CD secret theft)
Microsoft Threat Intelligence flagged 14 typosquat npm packages published on 2026-05-28 by a single new maintainer alias
vpmdhaj(a39155771@gmail.com) in a ~4-hour window. Install-time stager pulls a ~195KB Bun-compiled credential harvester fromaab.sportsontheweb[.]net/x.php(X-Supply: 1header) and exfiltrates AWS, HashiCorp Vault, GitHub Actions and npm publish tokens.npmAffected packages14 packages · 41 versions
- npm
@vpmdhaj/devops-tools1.0.7267 - npm
@vpmdhaj/elastic-helper1.0.7269 - npm
@vpmdhaj/opensearch-setup1.0.7267 - npm
@vpmdhaj/search-setup1.0.7268 - npm
app-config-utility1.0.92001.0.9300 - npm
elastic-opensearch-helper1.0.72651.0.91031.0.91041.0.91051.0.91061.0.91071.0.9108 - npm
env-config-manager2.1.9201 - npm
opensearch-config-utility1.0.72651.0.91041.0.91051.0.9106 - npm
opensearch-security-scanner1.0.81.0.91.0.10 - npm
opensearch-setup1.0.90001.0.91001.0.91011.0.91021.0.9103 - npm
opensearch-setup-tool1.0.72651.0.91061.0.91071.0.9108 - npm
search-cluster-setup1.0.72651.0.91021.0.91031.0.9104 - npm
search-engine-setup1.0.72651.0.91051.0.91061.0.91071.0.9108 - npm
vpmdhaj-opensearch-setup1.0.91011.0.9102
npm-2026-05-28-vpmdhaj-opensearch-typosquatsSource advisory - npm
- High26 May 20261 package tracked
mouse5212-super-formatter: AI-generated npm infostealer targets Claude AI /mnt/user-data
On 2026-05-26 a fresh npm publisher pushed five versions of
mouse5212-super-formatter(1.0.0–1.0.4) that exfiltrate files from Claude AI's/mnt/user-datadirectory to an attacker GitHub repo via a hard-coded PAT. Disclosed by OX Security on 2026-05-27 ("Malware-Slop"); ~676 downloads before npm unpublished all versions.npmAffected packages1 package · 5 versions
- npm
mouse5212-super-formatter1.0.01.0.11.0.21.0.31.0.4
npm-2026-05-26-mouse5212-claude-ai-exfilSource advisory - npm
- Critical22 May 20264 packages tracked
Laravel-Lang Composer packages — every git tag retargeted to a malicious fork commit
On 2026-05-22 an attacker with push access to the
laravel-langGitHub org retargeted every git tag inlaravel-lang/lang,http-statuses,actions, andattributesto malicious fork commits.composer require/updatethen pulls asrc/helpers.phpbackdoor, autoloaded on every PHP request, that exfiltrates cloud and CI/CD secrets toflipboxstudio.info.PackagistAffected packages4 packages · 0 versions
- Packagist
laravel-lang/actions - Packagist
laravel-lang/attributes - Packagist
laravel-lang/http-statuses - Packagist
laravel-lang/lang
packagist-2026-05-22-laravel-lang-tag-hijackSource advisory - Packagist
- Critical22 May 202634 packages tracked
TrapDoor / AuditorTrap crypto-stealer campaign across npm, PyPI and crates.io
Starting 2026-05-22 the TrapDoor / AuditorTrap campaign pushed 34+ malicious packages (384+ versions) across npm, PyPI and crates.io posing as crypto/DeFi/AI dev tools and fake "security guild" branding. Payloads steal SSH keys, cloud credentials and Solana/Sui/Aptos wallets, and hide zero-width-Unicode prompt injection in
CLAUDE.md/.cursorrulesto trick Claude Code and Cursor into running the stealer.crates.ionpmPyPIAffected packages34 packages · 404 versions
- npm
async-pipeline-builder1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
build-scripts-utils1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
chain-key-validator0.2.10.2.20.2.30.2.41.2.01.2.11.2.21.2.31.3.01.3.11.3.21.3.31.3.41.3.51.3.61.3.71.3.81.3.94.0.0 - npm
crypto-credential-scanner2.0.02.0.12.0.22.0.33.0.03.0.13.0.23.0.33.1.03.1.13.1.23.1.33.1.43.1.53.1.63.1.73.1.83.1.94.0.0 - PyPI
cryptowallet-safety - PyPI
data-pipeline-check0.1.1 - npm
defi-env-auditor0.3.00.3.10.3.20.3.31.3.01.3.11.3.21.3.31.4.01.4.11.4.21.4.31.4.41.4.51.4.61.4.71.4.81.4.94.0.0 - PyPI
defi-risk-scanner0.1.0 - npm
defi-threat-scanner2.1.02.1.12.1.22.1.33.1.03.1.13.1.23.1.33.2.03.2.13.2.23.2.33.2.43.2.53.2.63.2.73.2.84.0.0 - npm
deployment-key-auditor0.7.10.7.20.7.30.7.41.7.01.7.11.7.21.7.31.8.01.8.11.8.21.8.31.8.41.8.51.8.61.8.71.8.81.8.94.0.0 - npm
dev-env-bootstrapper1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.2 - PyPI
env-loader-cli0.1.1 - PyPI
eth-security-auditor0.1.0 - npm
eth-wallet-sentinel1.0.71.0.81.0.91.0.102.0.02.0.12.0.22.0.32.1.02.1.12.1.22.1.32.1.42.1.52.1.62.1.72.1.82.1.94.0.0 - PyPI
git-config-sync0.1.1 - npm
llm-context-compressor1.0.01.0.11.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
mnemonic-safety-check0.5.00.5.10.5.20.5.31.5.01.5.11.5.21.5.31.6.01.6.11.6.21.6.31.6.41.6.51.6.61.6.71.6.81.6.94.0.0 - npm
model-switch-router1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - crates.io
move-analyzer-build - crates.io
move-compiler-tools - crates.io
move-project-builder - npm
node-setup-helpers1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
project-init-tools1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
prompt-engineering-toolkit1.0.01.0.11.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - PyPI
solidity-build-guard - npm
solidity-deploy-guard0.4.20.4.30.4.40.4.51.4.01.4.11.4.21.4.31.5.01.5.11.5.21.5.31.5.41.5.51.5.61.5.71.5.84.0.0 - crates.io
sui-framework-helpers - crates.io
sui-move-build-helper - crates.io
sui-sdk-build-utils - npm
token-usage-tracker1.0.01.0.11.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1 - npm
wallet-backup-verifier1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.114.0.0 - npm
wallet-security-checker1.0.11.0.21.0.31.0.42.0.02.0.12.0.22.0.32.1.02.1.12.1.22.1.32.1.42.1.52.1.62.1.72.1.84.0.0 - npm
web3-secrets-detector1.2.31.2.41.2.51.2.61.2.72.2.02.2.12.2.22.2.32.3.02.3.12.3.22.3.32.3.42.3.52.3.62.3.72.3.82.3.94.0.0 - npm
workspace-config-loader1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.141.1.01.2.01.3.01.4.01.5.01.5.1
multi-2026-05-22-trapdoor-crypto-stealerSource advisory - npm
- High22 May 20268 packages tracked
Packagist cross-ecosystem postinstall attack — 8 Composer packages drop Linux `gvfsd-network` binary
Socket disclosed on 2026-05-23 a coordinated campaign that planted a malicious
postinstallhook in thepackage.json(NOTcomposer.json) of eight Packagist Composer packages — includingdevdojo/wave,devdojo/genesis, andkatanaui/katana. The hook curls a Linux binarygvfsd-networkfromgithub.com/parikhpreyash4/systemd-network-helper-aa5c751f, writes it to/tmp/.sshd, and runs it backgrounded. Socket flagged the same payload in 700+ public GitHub repos.PackagistAffected packages8 packages · 0 versions
- Packagist
baskarcm/tzi-chat-ui - Packagist
crosiersource/crosierlib-base - Packagist
devdojo/genesis - Packagist
devdojo/wave - Packagist
elitedevsquad/sidecar-laravel - Packagist
katanaui/katana - Packagist
moritz-sauer-13/silverstripe-cms-theme - Packagist
r2luna/brain
packagist-2026-05-22-cross-ecosystem-postinstall-binarySource advisory - Packagist
- High21 May 20261 package tracked
@common-stack/generate-plugin hijacked — PolinRider-linked RAT in two alpha releases
Sonatype disclosed on 2026-05-21 that two alpha releases of
@common-stack/generate-plugin(9.0.2-alpha.21,9.0.2-alpha.22, published ~2026-05-20–21) ship an install-time stager that pulls a second-stage RAT. Tradecraft overlaps the DPRK-linked PolinRider / Contagious Interview cluster. Package draws ~1,100 weekly downloads as a Node.js plugin scaffolding helper, so any developer machine that ran it during local install should be treated as compromised.npmAffected packages1 package · 2 versions
- npm
@common-stack/generate-plugin9.0.2-alpha.219.0.2-alpha.22
npm-2026-05-21-common-stack-generate-plugin-polinriderSource advisory - npm
- Critical19 May 2026298 packages tracked
@antv maintainer takeover (atool) — Mini Shai-Hulud burst across ~300 packages
On 2026-05-19 the compromised npm publisher
atool(Alibaba / AntV co-maintainer) pushed an automated burst of 639 malicious versions across 323 unique packages — the entire@antvvisualization suite plus widely-used unscoped libraries includingecharts-for-react,size-sensor, andtimeago.js(>15M combined monthly downloads). Each release adds apreinstall: bun run index.jshook running the Mini Shai-Hulud credential-stealer. Attributed to TeamPCP.npmAffected packages298 packages · 599 versions
- npm
@antv/a80.1.10.2.1 - npm
@antv/adjust0.3.50.4.5 - npm
@antv/algorithm0.2.260.3.26 - npm
@antv/async-hook2.3.92.4.9 - npm
@antv/attr0.4.50.5.5 - npm
@antv/ava3.5.13.6.1 - npm
@antv/ava-react3.4.23.5.2 - npm
@antv/awards0.1.90.2.9 - npm
@antv/calendar-heatmap1.2.21.3.2 - npm
@antv/chart-linter1.2.61.3.6 - npm
@antv/chart-node-g60.1.40.2.4 - npm
@antv/chart-visualization-skills0.2.30.3.3 - npm
@antv/ckb2.1.42.2.4 - npm
@antv/color-schema0.3.30.4.3 - npm
@antv/color-util2.1.62.2.6 - npm
@antv/component2.2.112.3.11 - npm
@antv/coord0.5.70.6.7 - npm
@antv/d3-color1.1.01.2.0 - npm
@antv/d3-interpolate1.1.31.2.3 - npm
@antv/data-samples1.1.11.2.1 - npm
@antv/data-set0.12.80.13.8 - npm
@antv/data-wizard2.1.42.2.4 - npm
@antv/dipper-component0.1.40.2.4 - npm
@antv/dipper-hooks0.3.10.4.1 - npm
@antv/dipper-map1.1.101.2.10 - npm
@antv/dom-util2.1.42.2.4 - npm
@antv/dumi-theme-antv0.9.40.10.4 - npm
@antv/dw-analyzer1.2.51.3.5 - npm
@antv/dw-random1.2.71.3.7 - npm
@antv/dw-transform1.2.71.3.7 - npm
@antv/dw-util1.2.41.3.4 - npm
@antv/event-emitter0.2.30.3.3 - npm
@antv/expr1.1.21.2.2 - npm
@antv/f-charts0.1.00.2.0 - npm
@antv/f-engine1.11.01.12.0 - npm
@antv/f-lottie1.11.01.12.0 - npm
@antv/f-my1.11.01.12.0 - npm
@antv/f-react1.11.01.12.0 - npm
@antv/f-test-utils1.1.91.2.9 - npm
@antv/f-vue1.11.01.12.0 - npm
@antv/f-wx1.11.01.12.0 - npm
@antv/f25.15.05.16.0 - npm
@antv/f2-algorithm5.8.05.9.0 - npm
@antv/f2-canvas1.1.51.2.5 - npm
@antv/f2-context0.1.10.2.1 - npm
@antv/f2-graphic0.1.160.2.16 - npm
@antv/f2-my4.1.524.2.52 - npm
@antv/f2-react5.15.05.16.0 - npm
@antv/f2-site4.1.424.2.42 - npm
@antv/f2-vue4.1.334.2.33 - npm
@antv/f2-wordcloud5.15.05.16.0 - npm
@antv/f2-wx4.1.514.2.51 - npm
@antv/f60.1.190.2.19 - npm
@antv/f6-alipay0.1.70.2.7 - npm
@antv/f6-core0.1.20.2.2 - npm
@antv/f6-element0.1.10.2.1 - npm
@antv/f6-hammerjs0.1.20.2.2 - npm
@antv/f6-plugin1.1.61.2.6 - npm
@antv/f6-ui1.1.31.2.3 - npm
@antv/f6-wx0.1.70.2.7 - npm
@antv/g6.4.16.5.1 - npm
@antv/g-base0.6.160.7.16 - npm
@antv/g-camera-api2.1.452.2.45 - npm
@antv/g-canvas2.3.02.4.0 - npm
@antv/g-canvaskit1.2.11.3.1 - npm
@antv/g-compat1.1.111.2.11 - npm
@antv/g-components2.1.422.2.42 - npm
@antv/g-css-layout-api1.1.381.2.38 - npm
@antv/g-css-typed-om-api1.1.381.2.38 - npm
@antv/g-device-api1.7.131.8.13 - npm
@antv/g-dom-mutation-observer-api2.1.422.2.42 - npm
@antv/g-gesture3.1.423.2.42 - npm
@antv/g-image-exporter1.1.421.2.42 - npm
@antv/g-layout-blocklike1.8.491.9.49 - npm
@antv/g-lite2.8.02.9.0 - npm
@antv/g-lottie-player1.2.11.3.1 - npm
@antv/g-math3.2.03.3.0 - npm
@antv/g-mobile1.2.51.3.5 - npm
@antv/g-mobile-canvas1.2.11.3.1 - npm
@antv/g-mobile-canvas-element1.1.421.2.42 - npm
@antv/g-mobile-svg1.2.11.3.1 - npm
@antv/g-mobile-webgl1.2.11.3.1 - npm
@antv/g-pattern2.1.422.2.42 - npm
@antv/g-perf1.1.01.2.0 - npm
@antv/g-plugin-3d2.2.12.3.1 - npm
@antv/g-plugin-a11y1.5.11.6.1 - npm
@antv/g-plugin-annotation1.3.01.4.0 - npm
@antv/g-plugin-box2d2.2.12.3.1 - npm
@antv/g-plugin-canvas-path-generator2.2.262.3.26 - npm
@antv/g-plugin-canvas-picker2.4.12.5.1 - npm
@antv/g-plugin-canvas-renderer2.6.12.7.1 - npm
@antv/g-plugin-canvaskit-renderer2.4.12.5.1 - npm
@antv/g-plugin-control2.2.12.3.1 - npm
@antv/g-plugin-css-select2.2.12.3.1 - npm
@antv/g-plugin-device-renderer2.7.12.8.1 - npm
@antv/g-plugin-dom-interaction2.2.312.3.31 - npm
@antv/g-plugin-dragndrop2.2.12.3.1 - npm
@antv/g-plugin-gesture2.2.12.3.1 - npm
@antv/g-plugin-gpgpu1.10.201.11.20 - npm
@antv/g-plugin-html-renderer2.4.12.5.1 - npm
@antv/g-plugin-image-loader2.4.12.5.1 - npm
@antv/g-plugin-matterjs2.2.12.3.1 - npm
@antv/g-plugin-mobile-interaction1.1.421.2.42 - npm
@antv/g-plugin-physx2.2.12.3.1 - npm
@antv/g-plugin-rough-canvas-renderer2.2.12.3.1 - npm
@antv/g-plugin-rough-svg-renderer2.2.12.3.1 - npm
@antv/g-plugin-svg-picker2.1.462.2.46 - npm
@antv/g-plugin-svg-renderer2.5.12.6.1 - npm
@antv/g-plugin-webgl-device1.10.171.11.17 - npm
@antv/g-plugin-webgl-renderer1.1.261.2.26 - npm
@antv/g-plugin-webgpu-device1.10.171.11.17 - npm
@antv/g-plugin-yoga2.4.12.5.1 - npm
@antv/g-plugin-zdog-canvas-renderer2.2.12.3.1 - npm
@antv/g-plugin-zdog-svg-renderer2.2.12.3.1 - npm
@antv/g-shader-components2.1.02.2.0 - npm
@antv/g-svg2.2.12.3.1 - npm
@antv/g-web-animations-api2.2.322.3.32 - npm
@antv/g-web-components2.2.12.3.1 - npm
@antv/g-webgl2.2.12.3.1 - npm
@antv/g-webgl-compute0.1.10.2.1 - npm
@antv/g-webgpu2.2.12.3.1 - npm
@antv/g-webgpu-compiler0.8.20.9.2 - npm
@antv/g-webgpu-core0.8.20.9.2 - npm
@antv/g-webgpu-engine0.8.20.9.2 - npm
@antv/g-webgpu-raytracer0.6.10.7.1 - npm
@antv/g-webgpu-unitchart0.6.10.7.1 - npm
@antv/g25.5.85.6.8 - npm
@antv/g2-brush0.1.20.2.2 - npm
@antv/g2-extension-3d0.3.00.4.0 - npm
@antv/g2-extension-ava0.3.00.4.0 - npm
@antv/g2-extension-plot0.3.20.4.2 - npm
@antv/g2-plugin-slider2.2.12.3.1 - npm
@antv/g2-ssr0.3.00.4.0 - npm
@antv/g2plot2.5.352.6.35 - npm
@antv/g2plot-schemas1.3.21.4.2 - npm
@antv/g65.2.15.3.1 - npm
@antv/g6-alipay0.1.10.2.1 - npm
@antv/g6-cli0.1.40.2.4 - npm
@antv/g6-core0.9.240.10.24 - npm
@antv/g6-editor1.3.01.4.0 - npm
@antv/g6-element0.9.250.10.25 - npm
@antv/g6-extension-3d0.2.230.3.23 - npm
@antv/g6-extension-react0.3.70.4.7 - npm
@antv/g6-mobile0.2.20.3.2 - npm
@antv/g6-pc0.9.250.10.25 - npm
@antv/g6-plugin0.9.250.10.25 - npm
@antv/g6-plugin-map-view0.1.40.2.4 - npm
@antv/g6-plugins1.1.91.2.9 - npm
@antv/g6-react-node1.5.81.6.8 - npm
@antv/g6-ssr0.2.10.3.1 - npm
@antv/g6-wx0.1.10.2.1 - npm
@antv/gatsby-theme0.2.00.3.0 - npm
@antv/geo-coord1.1.81.2.8 - npm
@antv/gi-assets-advance2.6.222.7.22 - npm
@antv/gi-assets-algorithm2.4.192.5.19 - npm
@antv/gi-assets-basic2.5.402.6.40 - npm
@antv/gi-assets-galaxybase1.3.151.4.15 - npm
@antv/gi-assets-graphscope2.2.152.3.15 - npm
@antv/gi-assets-hugegraph1.2.151.3.15 - npm
@antv/gi-assets-janusgraph1.2.151.3.15 - npm
@antv/gi-assets-neo4j2.2.152.3.15 - npm
@antv/gi-assets-scene2.3.212.4.21 - npm
@antv/gi-assets-tugraph2.2.152.3.15 - npm
@antv/gi-assets-tugraph-analytics0.3.150.4.15 - npm
@antv/gi-assets-xlab0.2.300.3.30 - npm
@antv/gi-cli1.3.111.4.11 - npm
@antv/gi-common-components1.4.161.5.16 - npm
@antv/gi-mock-data1.1.51.2.5 - npm
@antv/gi-public-data1.1.11.2.1 - npm
@antv/gi-sdk3.1.03.2.0 - npm
@antv/gi-sdk-app1.3.101.4.10 - npm
@antv/gi-theme-antd0.7.110.8.11 - npm
@antv/github-config-cli0.2.00.3.0 - npm
@antv/gl-matrix2.8.12.9.1 - npm
@antv/gpt-vis1.1.01.2.0 - npm
@antv/gpt-vis-ssr0.4.70.5.7 - npm
@antv/graphin3.1.53.2.5 - npm
@antv/graphin-components2.5.12.6.1 - npm
@antv/graphin-graphscope1.1.51.2.5 - npm
@antv/graphin-icons1.1.01.2.0 - npm
@antv/graphlib2.1.42.2.4 - npm
@antv/hierarchy0.8.10.9.1 - npm
@antv/infographic0.3.190.4.19 - npm
@antv/interaction0.2.50.3.5 - npm
@antv/istanbul0.1.00.2.0 - npm
@antv/knowledge1.2.41.3.4 - npm
@antv/l72.26.102.27.10 - npm
@antv/l7-component2.26.102.27.10 - npm
@antv/l7-composite-layers0.18.10.19.1 - npm
@antv/l7-core2.26.102.27.10 - npm
@antv/l7-district2.4.122.5.12 - npm
@antv/l7-draw3.2.53.3.5 - npm
@antv/l7-editor1.2.131.3.13 - npm
@antv/l7-extension-g-layer1.1.01.2.0 - npm
@antv/l7-layers2.26.102.27.10 - npm
@antv/l7-leaflet1.1.21.2.2 - npm
@antv/l7-map2.26.102.27.10 - npm
@antv/l7-mapkit0.6.00.7.0 - npm
@antv/l7-maps2.26.102.27.10 - npm
@antv/l7-mini2.21.82.22.8 - npm
@antv/l7-pass1.1.01.2.0 - npm
@antv/l7-react2.5.32.6.3 - npm
@antv/l7-renderer2.26.102.27.10 - npm
@antv/l7-scene2.26.102.27.10 - npm
@antv/l7-source2.26.102.27.10 - npm
@antv/l7-three2.26.102.27.10 - npm
@antv/l7-utils2.26.102.27.10 - npm
@antv/l7plot0.6.110.7.11 - npm
@antv/l7plot-component0.1.110.2.11 - npm
@antv/larkmap1.6.11.7.1 - npm
@antv/layout-gpu1.2.71.3.7 - npm
@antv/layout-wasm1.5.21.6.2 - npm
@antv/li-aiearth-assets0.5.70.6.7 - npm
@antv/li-analysis-assets1.10.11.11.1 - npm
@antv/li-core-assets1.4.71.5.7 - npm
@antv/li-editor1.7.11.8.1 - npm
@antv/li-p21.9.21.10.2 - npm
@antv/li-sam-assets0.2.40.3.4 - npm
@antv/li-sdk1.6.11.7.1 - npm
@antv/lite-insight2.2.12.3.1 - npm
@antv/matrix-util3.1.43.2.4 - npm
@antv/mcp-server-antv0.2.80.3.8 - npm
@antv/mcp-server-chart0.10.100.11.10 - npm
@antv/my-f22.2.72.3.7 - npm
@antv/my-f2-pc0.2.10.3.1 - npm
@antv/narrative-text-editor0.3.200.4.20 - npm
@antv/narrative-text-schema0.4.70.5.7 - npm
@antv/narrative-text-vis0.4.160.5.16 - npm
@antv/path-util3.1.13.2.1 - npm
@antv/react-g2.2.12.3.1 - npm
@antv/s22.8.12.9.1 - npm
@antv/s2-react2.4.12.5.1 - npm
@antv/s2-react-components2.2.22.3.2 - npm
@antv/s2-ssr0.2.10.3.1 - npm
@antv/s2-vue2.3.02.4.0 - npm
@antv/sam0.3.00.4.0 - npm
@antv/scale0.6.20.7.2 - npm
@antv/semantic-release-pnpm1.1.41.2.4 - npm
@antv/smart-color0.3.10.4.1 - npm
@antv/stat0.1.20.2.2 - npm
@antv/t80.4.00.5.0 - npm
@antv/thumbnails2.1.02.2.0 - npm
@antv/thumbnails-component2.1.02.2.0 - npm
@antv/torch1.1.61.2.6 - npm
@antv/translator1.1.11.2.1 - npm
@antv/util3.4.113.5.11 - npm
@antv/vendor1.1.111.2.11 - npm
@antv/vis-predict-engine0.2.10.3.1 - npm
@antv/webgpu-graph1.1.01.2.0 - npm
@antv/word-scale-chart0.4.40.5.4 - npm
@antv/wx-f22.2.12.3.1 - npm
@antv/x63.2.73.3.7 - npm
@antv/x6-angular-shape3.1.13.2.1 - npm
@antv/x6-components0.11.70.12.7 - npm
@antv/x6-react0.2.260.3.26 - npm
@antv/x6-react-shape3.1.13.2.1 - npm
@antv/x6-vector1.5.21.6.2 - npm
@antv/x6-vue-shape3.1.23.2.2 - npm
@antv/x6-vue3-shape1.1.01.2.0 - npm
@antv/xflow2.2.132.3.13 - npm
@antv/xflow-diff1.1.01.2.0 - npm
@lint-md/cli2.1.02.2.0 - npm
@lint-md/core2.1.02.2.0 - npm
@lint-md/parser0.1.140.2.14 - npm
ai-figure0.5.00.6.0 - npm
amapcn0.2.20.3.2 - npm
ast-plugin0.1.70.2.7 - npm
babel-plugin-version0.3.30.4.3 - npm
boring-avatars-vanilla1.1.21.2.2 - npm
byte-parser1.1.01.2.0 - npm
canvas-nest.js2.1.42.2.4 - npm
echarts-for-react3.0.73.1.73.2.7 - npm
filesize.js2.1.02.2.0 - npm
fixed-round1.1.21.2.2 - npm
gantt-for-react0.3.00.4.0 - npm
jest-canvas-mock2.5.32.6.32.7.3 - npm
jest-date-mock1.0.111.1.111.2.11 - npm
jest-electron0.2.120.3.12 - npm
jest-expect0.1.10.2.1 - npm
jest-less-loader0.3.00.4.0 - npm
jest-random-mock1.1.01.2.0 - npm
jest-url-loader0.2.00.3.0 - npm
limit-size0.2.40.3.4 - npm
lint-md0.3.00.4.0 - npm
lint-md-cli0.2.20.3.2 - npm
mcp-echarts0.8.10.9.1 - npm
mcp-mermaid0.5.10.6.1 - npm
miz1.1.11.2.1 - npm
onfire.js2.1.12.2.1 - npm
react-adsense0.2.00.3.0 - npm
relationship.js1.3.91.4.9 - npm
ribbon.js1.1.2 - npm
size-sensor1.0.41.1.41.2.4 - npm
slice.js1.2.11.3.1 - npm
timeago-react3.1.73.2.7 - npm
timeago.js4.1.24.2.2 - npm
word-width1.1.11.2.1 - npm
xmorse1.1.01.2.0
npm-2026-05-19-antv-mini-shai-huludSource advisory - npm
- Critical19 May 20261 package tracked
Microsoft `durabletask` PyPI compromised — TeamPCP Mini Shai-Hulud stage-2 dropper
Three malicious versions of
durabletask— Microsoft's Python SDK for Azure Durable Functions (~417K monthly downloads) — were uploaded directly to PyPI inside a 35-minute window on 2026-05-19. None correspond to any git tag or CI run; the attacker bypassed Microsoft's pipeline with a stolen PyPI API token. Stage-2 is the full Mini Shai-Hulud credential-stealer with dedicated cloud-secret collectors. Attributed to TeamPCP. Last clean release:1.4.0.PyPIAffected packages1 package · 3 versions
- PyPI
durabletask1.4.11.4.21.4.3
pypi-2026-05-19-durabletask-teampcpSource advisory - PyPI
- Critical19 May 20262 packages tracked
actions-cool/issues-helper + maintain-one-comment — every tag retargeted to TeamPCP imposter commit
On 2026-05-19 an attacker with push access to the
actions-coolGitHub org force-moved every tag inactions-cool/issues-helper(53 tags, including the floatingv1/v2) andactions-cool/maintain-one-comment(15 tags) to a single imposter commit. Any workflow pinned to a tag — not a full commit SHA — pulled the imposterdist/index.js, which dumpsRunner.Workermemory to exfiltrate GitHub Actions secrets. Shares C2 (t.m-kosche.com) with the same-day @antv anddurabletaskwaves; attributed to TeamPCP.GitHub ActionsAffected packages2 packages · 0 versions
- GitHub Actions
actions-cool/issues-helper - GitHub Actions
actions-cool/maintain-one-comment
github-actions-2026-05-19-actions-cool-tag-hijackSource advisory - GitHub Actions
- High19 May 20261 package tracked
shopsprint/decimal Go typosquat ships a DNS-TXT command-and-control backdoor
Socket disclosed a long-running Go typosquat of
github.com/shopspring/decimalpublished asgithub.com/shopsprint/decimal(single-letter swap,tforg). The typosquat was registered 2017-11-08 and was weaponised on 2023-08-19 inv1.3.3, which adds a maliciousinit()that polls a free-dynamic-DNS subdomain for TXT-record commands every five minutes and executes the response viaos/exec. Dwell time before disclosure: ~33 months.GoAffected packages1 package · 1 version
- Go
github.com/shopsprint/decimalv1.3.3
go-2026-05-19-shopsprint-decimal-dns-backdoorSource advisory - Go
- Critical18 May 20261 package tracked
Nx Console (nrwl.angular-console) 18.95.0 hijacked via TanStack-stolen GitHub creds
A malicious
Nx Console v18.95.0(publishernrwl, ~2.2M installs across VS Code, Cursor, and JetBrains) shipped to both the VS Code Marketplace and Open VSX on 2026-05-18, live for ~18–36 minutes. Every workspace open fetched a 498KB Mini Shai-Hulud stage-2 dropper from an orphan commit innrwl/nx. Nx telemetry estimates ~6,000 users received the build. Root cause: the May 11 TanStack compromise leaked one Nx Console maintainer's GitHub CLI credentials. Tracked asGHSA-c9j4-9m59-847w/CVE-2026-48027.Open VSXAffected packages1 package · 1 version
- Open VSX
nrwl.angular-console18.95.0
openvsx-2026-05-18-nx-console-nrwl-angular-consoleSource advisory - Open VSX
- Critical18 May 202610 packages tracked
Megalodon: automated CI/CD workflow injection backdoors 5,561 GitHub repos, propagates to @tiledesk/tiledesk-server on npm
On 2026-05-18 an automated campaign nicknamed
Megalodonpushed 5,718 commits to 5,561 public GitHub repos in six hours, injecting GitHub Actions workflows that exfiltrate CI secrets to216.126.225.129:8443. The legitimate Tiledesk maintainer then released@tiledesk/tiledesk-server2.18.6–2.18.12 from the poisoned source — propagating the backdoor to every downstream npm install.GitHub ActionsnpmAffected packages10 packages · 7 versions
- npm
@tiledesk/tiledesk-server2.18.62.18.72.18.82.18.92.18.102.18.112.18.12 - GitHub Actions
tiledesk/tiledesk-ai - GitHub Actions
tiledesk/tiledesk-campaign-dashboard - GitHub Actions
tiledesk/tiledesk-community-app - GitHub Actions
tiledesk/tiledesk-dashboard - GitHub Actions
tiledesk/tiledesk-docker-proxy - GitHub Actions
tiledesk/tiledesk-helpcenter-template - GitHub Actions
tiledesk/tiledesk-llm - GitHub Actions
tiledesk/tiledesk-server - GitHub Actions
tiledesk/tiledesk-telegram-connector
multi-2026-05-18-megalodon-tiledeskSource advisory - npm
- High16 May 20264 packages tracked
Leaked Shai-Hulud + Phantom Bot copycats from npm user deadcode09284814
Three days after TeamPCP open-sourced the Shai-Hulud worm code (2026-05-13), npm publisher
deadcode09284814pushed four malicious packages on 2026-05-16:@deadcode09284814/axios-util,axois-utils,chalk-tempalte, andcolor-style-utils.chalk-tempalteis the first documented in-the-wild Shai-Hulud clone — a near-verbatim copy of the leaked source with a swapped C2. Tradecraft is well below TeamPCP standard; this is the first copycat wave riding the leak.npmAffected packages4 packages · 21 versions
- npm
@deadcode09284814/axios-util1.0.01.0.1 - npm
axois-utils1.0.41.0.51.0.61.0.71.0.81.0.9 - npm
chalk-tempalte1.0.141.0.151.0.161.0.171.0.191.0.20 - npm
color-style-utils1.0.31.0.41.0.51.0.61.0.71.0.81.0.9
npm-2026-05-16-shai-hulud-leak-copycats-deadcodeSource advisory - npm
- Critical14 May 20261 package tracked
node-ipc dormant-maintainer takeover via expired email domain
On 2026-05-14 three malicious
node-ipcreleases (9.1.6,9.2.3,12.0.1) were published from a dormant maintainer accountatiertant. The attacker re-registered the expiredatlantis-software.netdomain on 2026-05-07 and used npm's password-reset flow to seize publish rights. The payload fires on everyrequire("node-ipc")(no lifecycle hook) and exfiltrates 90+ credential categories via DNS TXT queries.12.0.1was taggedlatest, so any unpinned install during the ~60-second window pulled the backdoor. ~822K weekly downloads.npmAffected packages1 package · 3 versions
- npm
node-ipc9.1.69.2.312.0.1
npm-2026-05-14-node-ipc-dormant-takeoverSource advisory - npm
- Critical11 May 2026177 packages tracked
TanStack + @uipath mini-Shai-Hulud compromise
On 2026-05-11 between 19:20 and 19:26 UTC, TeamPCP pushed malicious versions across
@tanstack/*,@uipath/*,@mistralai/*, and many smaller scopes by chainingpull_request_target, GitHub Actions cache poisoning, and runtime OIDC-token extraction from a runner. Same Mini Shai-Hulud credential-stealer as the April SAP campaign. Final tally: 177 packages, 403 versions, >518M cumulative downloads. OpenAI confirmed two compromised employee devices and rotated platform code-signing certificates.npmPyPIAffected packages179 packages · 413 versions
- npm
@beproduct/nestjs-auth0.1.20.1.30.1.40.1.50.1.60.1.70.1.80.1.90.1.100.1.110.1.120.1.130.1.140.1.150.1.160.1.170.1.180.1.19 - npm
@cap-js/db-service2.10.1 - npm
@cap-js/postgres2.2.2 - npm
@cap-js/sqlite2.2.2 - npm
@dirigible-ai/sdk0.6.20.6.3 - npm
@draftauth/client0.2.10.2.2 - npm
@draftauth/core0.13.10.13.2 - npm
@draftlab/auth0.24.10.24.2 - npm
@draftlab/auth-router0.5.10.5.2 - npm
@draftlab/db0.16.10.16.2 - npm
@mesadev/rest0.28.3 - npm
@mesadev/saguaro0.4.22 - npm
@mesadev/sdk0.28.3 - npm
@mistralai/mistralai2.2.22.2.32.2.4 - npm
@mistralai/mistralai-azure1.7.11.7.21.7.3 - npm
@mistralai/mistralai-gcp1.7.11.7.21.7.3 - npm
@ml-toolkit-ts/preprocessing1.0.21.0.3 - npm
@ml-toolkit-ts/xgboost1.0.31.0.4 - npm
@opensearch-project/opensearch3.5.33.6.23.7.03.8.0 - npm
@squawk/airport-data0.7.40.7.50.7.60.7.70.7.8 - npm
@squawk/airports0.6.20.6.30.6.40.6.50.6.6 - npm
@squawk/airspace0.8.10.8.20.8.30.8.40.8.5 - npm
@squawk/airspace-data0.5.30.5.40.5.50.5.60.5.7 - npm
@squawk/airway-data0.5.40.5.50.5.60.5.70.5.8 - npm
@squawk/airways0.4.20.4.30.4.40.4.50.4.6 - npm
@squawk/fix-data0.6.40.6.50.6.60.6.70.6.8 - npm
@squawk/fixes0.3.20.3.30.3.40.3.50.3.6 - npm
@squawk/flight-math0.5.40.5.50.5.60.5.70.5.8 - npm
@squawk/flightplan0.5.20.5.30.5.40.5.50.5.6 - npm
@squawk/geo0.4.40.4.50.4.60.4.70.4.8 - npm
@squawk/icao-registry0.5.20.5.30.5.40.5.50.5.6 - npm
@squawk/icao-registry-data0.8.40.8.50.8.60.8.70.8.8 - npm
@squawk/mcp0.9.10.9.20.9.30.9.40.9.5 - npm
@squawk/navaid-data0.6.40.6.50.6.60.6.70.6.8 - npm
@squawk/navaids0.4.20.4.30.4.40.4.50.4.6 - npm
@squawk/notams0.3.60.3.70.3.80.3.90.3.10 - npm
@squawk/procedure-data0.7.30.7.40.7.50.7.60.7.7 - npm
@squawk/procedures0.5.20.5.30.5.40.5.50.5.6 - npm
@squawk/types0.8.10.8.20.8.30.8.40.8.5 - npm
@squawk/units0.4.30.4.40.4.50.4.60.4.7 - npm
@squawk/weather0.5.60.5.70.5.80.5.90.5.10 - npm
@supersurkhet/cli0.0.20.0.30.0.40.0.50.0.60.0.7 - npm
@supersurkhet/sdk0.0.20.0.30.0.40.0.50.0.60.0.7 - npm
@tallyui/components1.0.11.0.21.0.3 - npm
@tallyui/connector-medusa1.0.11.0.21.0.3 - npm
@tallyui/connector-shopify1.0.11.0.21.0.3 - npm
@tallyui/connector-vendure1.0.11.0.21.0.3 - npm
@tallyui/connector-woocommerce1.0.11.0.21.0.3 - npm
@tallyui/core0.2.10.2.20.2.3 - npm
@tallyui/database1.0.11.0.21.0.3 - npm
@tallyui/pos0.1.10.1.20.1.3 - npm
@tallyui/storage-sqlite0.2.10.2.20.2.3 - npm
@tallyui/theme0.2.10.2.20.2.3 - npm
@tanstack/arktype-adapter1.166.121.166.15 - npm
@tanstack/eslint-plugin-router1.161.91.161.12 - npm
@tanstack/eslint-plugin-start0.0.40.0.7 - npm
@tanstack/history1.161.91.161.12 - npm
@tanstack/nitro-v2-vite-plugin1.154.121.154.15 - npm
@tanstack/react-router1.169.51.169.8 - npm
@tanstack/react-router-devtools1.166.161.166.19 - npm
@tanstack/react-router-ssr-query1.166.151.166.18 - npm
@tanstack/react-start1.167.681.167.71 - npm
@tanstack/react-start-client1.166.511.166.54 - npm
@tanstack/react-start-rsc0.0.470.0.50 - npm
@tanstack/react-start-server1.166.551.166.58 - npm
@tanstack/router-cli1.166.461.166.49 - npm
@tanstack/router-core1.169.51.169.8 - npm
@tanstack/router-devtools1.166.161.166.19 - npm
@tanstack/router-devtools-core1.167.61.167.9 - npm
@tanstack/router-generator1.166.451.166.48 - npm
@tanstack/router-plugin1.167.381.167.41 - npm
@tanstack/router-ssr-query-core1.168.31.168.6 - npm
@tanstack/router-utils1.161.111.161.14 - npm
@tanstack/router-vite-plugin1.166.531.166.56 - npm
@tanstack/solid-router1.169.51.169.8 - npm
@tanstack/solid-router-devtools1.166.161.166.19 - npm
@tanstack/solid-router-ssr-query1.166.151.166.18 - npm
@tanstack/solid-start1.167.651.167.68 - npm
@tanstack/solid-start-client1.166.501.166.53 - npm
@tanstack/solid-start-server1.166.541.166.57 - npm
@tanstack/start-client-core1.168.51.168.8 - npm
@tanstack/start-fn-stubs1.161.91.161.12 - npm
@tanstack/start-plugin-core1.169.231.169.26 - npm
@tanstack/start-server-core1.167.331.167.36 - npm
@tanstack/start-static-server-functions1.166.441.166.47 - npm
@tanstack/start-storage-context1.166.381.166.41 - npm
@tanstack/valibot-adapter1.166.121.166.15 - npm
@tanstack/virtual-file-routes1.161.101.161.13 - npm
@tanstack/vue-router1.169.51.169.8 - npm
@tanstack/vue-router-devtools1.166.161.166.19 - npm
@tanstack/vue-router-ssr-query1.166.151.166.18 - npm
@tanstack/vue-start1.167.611.167.64 - npm
@tanstack/vue-start-client1.166.461.166.49 - npm
@tanstack/vue-start-server1.166.501.166.53 - npm
@tanstack/zod-adapter1.166.121.166.15 - npm
@taskflow-corp/cli0.1.240.1.250.1.260.1.270.1.280.1.29 - npm
@tolka/cli1.0.21.0.31.0.41.0.51.0.6 - npm
@uipath/access-policy-sdk0.3.1 - npm
@uipath/access-policy-tool0.3.1 - npm
@uipath/admin-tool0.1.1 - npm
@uipath/agent-sdk1.0.2 - npm
@uipath/agent-tool1.0.1 - npm
@uipath/agent.sdk0.0.18 - npm
@uipath/aops-policy-tool0.3.1 - npm
@uipath/ap-chat1.5.7 - npm
@uipath/api-workflow-tool1.0.1 - npm
@uipath/apollo-core5.9.2 - npm
@uipath/apollo-react4.24.5 - npm
@uipath/apollo-wind2.16.2 - npm
@uipath/auth1.0.1 - npm
@uipath/case-tool1.0.1 - npm
@uipath/cli1.0.1 - npm
@uipath/codedagent-tool1.0.1 - npm
@uipath/codedagents-tool0.1.12 - npm
@uipath/codedapp-tool1.0.1 - npm
@uipath/common1.0.1 - npm
@uipath/context-grounding-tool0.1.1 - npm
@uipath/data-fabric-tool1.0.2 - npm
@uipath/docsai-tool1.0.1 - npm
@uipath/filesystem1.0.1 - npm
@uipath/flow-tool1.0.2 - npm
@uipath/functions-tool1.0.1 - npm
@uipath/gov-tool0.3.1 - npm
@uipath/identity-tool0.1.1 - npm
@uipath/insights-sdk1.0.1 - npm
@uipath/insights-tool1.0.1 - npm
@uipath/integrationservice-sdk1.0.2 - npm
@uipath/integrationservice-tool1.0.2 - npm
@uipath/llmgw-tool1.0.1 - npm
@uipath/maestro-sdk1.0.1 - npm
@uipath/maestro-tool1.0.1 - npm
@uipath/orchestrator-tool1.0.1 - npm
@uipath/packager-tool-apiworkflow0.0.19 - npm
@uipath/packager-tool-bpmn0.0.9 - npm
@uipath/packager-tool-case0.0.9 - npm
@uipath/packager-tool-connector0.0.19 - npm
@uipath/packager-tool-flow0.0.19 - npm
@uipath/packager-tool-functions0.1.1 - npm
@uipath/packager-tool-webapp1.0.6 - npm
@uipath/packager-tool-workflowcompiler0.0.16 - npm
@uipath/packager-tool-workflowcompiler-browser0.0.34 - npm
@uipath/platform-tool1.0.1 - npm
@uipath/project-packager1.1.16 - npm
@uipath/resource-tool1.0.1 - npm
@uipath/resourcecatalog-tool0.1.1 - npm
@uipath/resources-tool0.1.11 - npm
@uipath/robot1.3.4 - npm
@uipath/rpa-legacy-tool1.0.1 - npm
@uipath/rpa-tool0.9.5 - npm
@uipath/solution-packager0.0.35 - npm
@uipath/solution-tool1.0.1 - npm
@uipath/solutionpackager-sdk1.0.11 - npm
@uipath/solutionpackager-tool-core0.0.34 - npm
@uipath/tasks-tool1.0.1 - npm
@uipath/telemetry0.0.7 - npm
@uipath/test-manager-tool1.0.2 - npm
@uipath/tool-workflowcompiler0.0.12 - npm
@uipath/traces-tool1.0.1 - npm
@uipath/ui-widgets-multi-file-upload1.0.1 - npm
@uipath/uipath-python-bridge1.0.1 - npm
@uipath/vertical-solutions-tool1.0.1 - npm
@uipath/vss0.1.6 - npm
@uipath/widget.sdk1.2.3 - npm
agentwork-cli0.1.40.1.5 - npm
cmux-agent-mcp0.1.30.1.40.1.50.1.60.1.70.1.8 - npm
cross-stitch1.1.31.1.41.1.51.1.61.1.7 - npm
git-branch-selector1.3.31.3.41.3.51.3.61.3.7 - npm
git-git-git1.0.81.0.91.0.101.0.111.0.12 - npm
guardrails-ai0.10.1 - PyPI
guardrails-ai0.10.1 - npm
intercom-client7.0.4 - npm
mbt1.2.48 - npm
mistralai2.4.6 - PyPI
mistralai2.4.6 - npm
ml-toolkit-ts1.0.41.0.5 - npm
nextmove-mcp0.1.30.1.40.1.50.1.60.1.7 - npm
safe-action0.8.30.8.4 - npm
ts-dna3.0.13.0.23.0.33.0.43.0.5 - npm
wot-api0.8.10.8.20.8.30.8.4
npm-2026-05-shai-hulud-tanstackSource advisory - npm
- Medium11 May 2026Feed-only · no version-specific detection
RubyGems account-creation flood + GemStuffer data dead-drops force signup suspension
From 2026-05-11–12 an actor abused a RubyGems account-creation flaw to spin up thousands of bot accounts and upload tens of thousands of gems — 500+ confirmed malicious and yanked. Most were empty placeholders or GemStuffer data dead-drops that scraped U.K. council ModernGov portals and re-published the data as
.gemarchives. RubyGems paused new sign-ups; resolved 2026-05-16.rubygems-2026-05-11-gemstuffer-floodSource advisory - High8 May 20263 packages tracked
OceanLotus-attributed ZiChatBot PyPI droppers: uuid32-utils, colorinal, termncolor with Zulip-API C2
Kaspersky GReAT (2026-05-08) re-attributed three PyPI wheels uploaded by an attacker between 2025-07-16 and 2025-07-22 —
uuid32-utils,colorinal, andtermncolor— to the Vietnam-aligned OceanLotus (APT32) group. The droppers fetch a Windows DLL or Linux.so, persist via Run-key or crontab, and loadZiChatBot, a Python backdoor that uses public Zulip REST APIs as its C2 channel to blend with normal developer traffic.PyPIAffected packages3 packages · 7 versions
- PyPI
colorinal1.0.0 - PyPI
termncolor1.0.0 - PyPI
uuid32-utils1.0.01.0.11.0.21.0.31.0.4
pypi-2026-05-08-oceanlotus-zichatbot-zulip-c2Source advisory - PyPI
- High5 May 20261 package tracked
Sicoob.Sdk NuGet impersonator exfiltrates Brazilian banking PFX certificates and passwords via Sentry telemetry abuse
Sicoob.Sdk2.0.0–2.0.4 (published to NuGet between 2026-05-05 and 2026-05-06 by an account also namedsicoob) posed as the official C# SDK for Brazilian credit cooperative Sicoob. When a developer constructedSicoobClientwith a client ID, PFX path and PFX password, the embeddedSicoob.Sdk.dllbase64-encoded the PFX file and POSTed it together with the client ID and plaintext PFX password to an attacker-controlled Sentry endpoint. NuGet blocked the package after Socket disclosure on 2026-05-29.NuGetAffected packages1 package · 5 versions
- NuGet
Sicoob.Sdk2.0.02.0.12.0.22.0.32.0.4
nuget-2026-05-05-sicoob-sdk-banking-impersonatorSource advisory - NuGet
- High1 May 202616 packages tracked
BufferZoneCorp sleeper attack on RubyGems + Go modules
Socket disclosed a coordinated sleeper-package campaign attributed to the GitHub org
BufferZoneCorp(and RubyGems userknot-theory). Initially-clean Ruby gems and Go modules were updated to malicious versions. The Ruby side harvests env vars, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials; the Go side tampers with GitHub Actions workflows, injects fake executables, and adds SSH persistence via authorized_keys. First confirmed 2026 RubyGems + Go module supply-chain campaign.GoRubyGemsAffected packages16 packages · 0 versions
- Go
github.com/BufferZoneCorp/config-loader - Go
github.com/BufferZoneCorp/go-envconfig - Go
github.com/BufferZoneCorp/go-metrics-sdk - Go
github.com/BufferZoneCorp/go-retryablehttp - Go
github.com/BufferZoneCorp/go-stdlib-ext - Go
github.com/BufferZoneCorp/go-weather-sdk - Go
github.com/BufferZoneCorp/grpc-client - Go
github.com/BufferZoneCorp/log-core - Go
github.com/BufferZoneCorp/net-helper - RubyGems
knot-activesupport-logger - RubyGems
knot-date-utils-rb - RubyGems
knot-devise-jwt-helper - RubyGems
knot-rack-session-store - RubyGems
knot-rails-assets-pipeline - RubyGems
knot-rspec-formatter-json - RubyGems
knot-simple-formatter
multi-2026-05-01-bufferzonecorp-rubygems-goSource advisory - Go
- Critical30 Apr 20263 packages tracked
PyTorch Lightning + intercom-client + intercom-php coordinated push
Mini Shai-Hulud wave 2: coordinated April 30 release of
lightning2.6.2/2.6.3 (PyPI),intercom-client7.0.4/7.0.5 (npm), andintercom/intercom-php5.0.2 (Packagist) carrying the same Bun-based credential stealer used in the SAP/@cap-js wave. ~11.7MBrouter_runtime.jsfires preinstall on npm; a.pthfile fires at every Python import on PyPI. Worm propagation via stolen GitHub PATs labelled "OhNoWhatsGoingOnWithGitHub:".npmPackagistPyPIAffected packages3 packages · 5 versions
- npm
intercom-client7.0.47.0.5 - Packagist
intercom/intercom-php5.0.2 - PyPI
lightning2.6.22.6.3
multi-2026-04-30-mini-shai-hulud-wave2Source advisory - npm
- High29 Apr 202610 packages tracked
DPRK "PromptMink" campaign uses AI agents to insert @validate-sdk/v2 dependency
ReversingLabs traced a DPRK Famous Chollima / UNC1069 campaign that began with
@hash-validator/v2in Sept 2025 and evolved through Feb 28, 2026 to insert@validate-sdk/v2as the malicious dependency of benign-looking "bait" SDKs aimed at AI coding agents. One AI-authored commit pulled@solana-launchpad/sdkinto a crypto trading repo. Phase 4 in March 2026 used Rust NAPI modules and 85MB Node SEA bundles to exfiltrate full source trees. 300+ malicious package versions across 60+ unique packages observed.npmPyPIAffected packages10 packages · 36 versions
- npm
@hash-validator/v2 - npm
@meme-sdk/trade1.0.01.0.1 - npm
@pumpfun-ipfs/sdk - npm
@solana-ipfs/sdk - npm
@solana-launchpad/sdk - npm
@solmasterv3/solana-metadata-sdk - npm
@validate-ethereum-address/core1.0.31.0.41.0.51.0.6 - npm
@validate-sdk/v21.22.111.22.121.22.131.22.141.22.151.22.161.22.171.22.181.22.191.22.201.22.211.22.221.22.231.22.241.22.251.22.261.22.271.22.281.22.291.22.301.22.31 - npm
@validator-sdk/pubkey1.0.01.0.21.0.31.0.41.0.51.0.61.0.71.0.8 - PyPI
scraper-npm1.0.4
multi-2026-04-29-promptmink-validate-sdkSource advisory - npm
- Critical29 Apr 20264 packages tracked
SAP / @cap-js mini-Shai-Hulud campaign
Mini-Shai-Hulud-style attack against SAP-related npm packages on 2026-04-29 09:55–12:14 UTC. Preinstall
setup.mjsdownloads the Bun runtime, runs an obfuscatedexecution.jsthat exfils GitHub/npm tokens, AWS/Azure/GCP secrets, Kubernetes tokens, and browser passwords via the GitHub GraphQL API. Includes a Russian-locale guardrail and persistence via .claude/ and .vscode/ poisoning.npmAffected packages4 packages · 4 versions
- npm
@cap-js/db-service2.10.1 - npm
@cap-js/postgres2.2.2 - npm
@cap-js/sqlite2.2.2 - npm
mbt1.2.48
npm-2026-04-sap-cap-jsSource advisory - npm
- Critical24 Apr 20262 packages tracked
elementary-data PyPI package backdoored via GitHub Actions injection
An attacker (account
realtungtungtungsahur) exploited a script-injection flaw in theelementary-datarelease workflow via PR comment, then used the workflow token to forge release commit b1e4b1f3 and trigger the legitimate publishing pipeline. PyPIelementary-data0.23.3 and ghcr.io/elementary-data/elementary 0.23.3 +latestshipped a ~245 KB obfuscated payload inelementary.pth. Clean 0.23.4 published April 25.DockerPyPIAffected packages2 packages · 3 versions
- PyPI
elementary-data0.23.3 - Docker
ghcr.io/elementary-data/elementary0.23.3latest
pypi-2026-04-24-elementary-dataSource advisory - PyPI
- High23 Apr 20261 package tracked
js-logger-pack npm worm uses Hugging Face datasets as malware CDN + exfil store
JFrog found 27 malicious versions of
js-logger-pack(1.1.0-1.1.27) abusing the Hugging Face repoLordplay/system-releasesto fetch cross-platform binaries (Windows/macOS x64/macOS ARM64/Linux) and upload stolen data to private datasets. The malware adds keylogging, clipboard capture, browser-session and Telegram Desktop theft, plus an operator command channel.npmAffected packages1 package · 28 versions
- npm
js-logger-pack1.1.01.1.11.1.21.1.31.1.41.1.51.1.61.1.71.1.81.1.91.1.101.1.111.1.121.1.131.1.141.1.151.1.161.1.171.1.181.1.191.1.201.1.211.1.221.1.231.1.241.1.251.1.261.1.27
npm-2026-04-23-js-logger-pack-huggingfaceSource advisory - npm
- Critical22 Apr 20261 package tracked
Xinference PyPI package backdoored on import
JFrog flagged three consecutive
xinferencereleases (2.6.0-2.6.2) on PyPI carrying a TeamPCP-style payload embedded inxinference/__init__.pythat fires on import. The malware base64-encodes a stage-1 wrapper containing the comment# hacked by teampcp, then spawns a detached subprocess that bundles harvested data intolove.tar.gzand POSTs it with a customX-QT-SR: 14header. TeamPCP publicly denied involvement, claiming a copycat. 600,000+ downloads of malicious wheels.PyPIAffected packages1 package · 3 versions
- PyPI
xinference2.6.02.6.12.6.2
pypi-2026-04-22-xinference-teampcpSource advisory - PyPI
- Critical22 Apr 20263 packages tracked
Checkmarx KICS Docker images + Open VSX extensions compromised (TeamPCP)
Docker and Socket jointly disclosed a multi-stage compromise of Checkmarx KICS Docker images and Checkmarx VS Code / Open VSX extensions. Trojanised extensions silently install an MCP addon executed via Bun, while the Docker images include a modified KICS binary that encrypts scan output and exfiltrates it. TeamPCP claimed responsibility.
DockerOpen VSXAffected packages3 packages · 11 versions
- Open VSX
checkmarx.ast-results2.63.02.66.0 - Open VSX
checkmarx.cx-dev-assist1.17.01.19.0 - Docker
checkmarx/kics2.1.202.1.20-debian2.1.212.1.21-debianalpinedebianlatest
multi-2026-04-22-checkmarx-kics-vsx-dockerSource advisory - Open VSX
- Critical22 Apr 20261 package tracked
@bitwarden/cli 2026.4.0 hijacked via Checkmarx GitHub Actions breach
TeamPCP pushed a malicious
@bitwarden/cli@2026.4.0to npm between 17:57 and 19:30 ET on April 22, exploiting Bitwarden's use of the breachedcheckmarx/ast-github-action.bw_setup.jsfetched Bun 1.3.13 from GitHub and ran a payload that targeted SSH, Git, npm, AWS/GCP/Azure, GitHub Actions secrets, and AI/MCP configs (.claude.json,.kiro/settings/mcp.json), exfiltrating viaaudit.checkmarx.cx. Live ~90 minutes; Bitwarden confirmed no end-user vault data was accessed.npmAffected packages1 package · 1 version
- npm
@bitwarden/cli2026.4.0
npm-2026-04-22-bitwarden-cli-teampcpSource advisory - npm
- Critical21 Apr 20266 packages tracked
CanisterSprawl: self-propagating npm worm hits pgserve + Namastex packages
Socket and StepSecurity disclosed CanisterSprawl, a self-propagating npm worm that compromised at least 16 versions across Namastex Labs and related publishers from 21 April 2026. The postinstall hook harvests 38 env vars and filesystem secrets, encrypts via AES-256-CBC + RSA-4096, and exfiltrates to an Internet Computer Protocol canister. Stolen npm tokens are reused to publish further malicious versions. Tradecraft matches the earlier TeamPCP CanisterWorm campaign.
npmAffected packages6 packages · 16 versions
- npm
@automagik/genie4.260421.334.260421.344.260421.354.260421.364.260421.374.260421.384.260421.39 - npm
@fairwords/loopback-connector-es1.4.31.4.4 - npm
@fairwords/websocket1.0.381.0.39 - npm
@openwebconcept/design-tokens1.0.3 - npm
@openwebconcept/theme-owc1.0.3 - npm
pgserve1.1.111.1.121.1.13
npm-2026-04-21-canisterworm-pgserve-namastexSource advisory - npm
- High15 Apr 202636 packages tracked
36 fake Strapi plugins on npm deploy persistent implants
Four sock-puppet npm accounts (umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1) uploaded 36 packages over a ~13-hour window impersonating Strapi CMS plugins. Payload evolution moved through 8 variants targeting Redis RCE with cron injection, Docker container escapes, PostgreSQL exploitation on hosts named
prod-strapi, Python reverse shells on port 4444, and SSH-key backdoors.npmAffected packages36 packages · 0 versions
- npm
strapi-plugin-advanced-uuid - npm
strapi-plugin-api - npm
strapi-plugin-blurhash - npm
strapi-plugin-cms-tools - npm
strapi-plugin-config - npm
strapi-plugin-content-sync - npm
strapi-plugin-core - npm
strapi-plugin-cron - npm
strapi-plugin-database - npm
strapi-plugin-debug-tools - npm
strapi-plugin-events - npm
strapi-plugin-finseven - npm
strapi-plugin-form - npm
strapi-plugin-guardarian-ext - npm
strapi-plugin-health - npm
strapi-plugin-health-check - npm
strapi-plugin-hextest - npm
strapi-plugin-hooks - npm
strapi-plugin-locale - npm
strapi-plugin-logger - npm
strapi-plugin-monitor - npm
strapi-plugin-nordica - npm
strapi-plugin-nordica-api - npm
strapi-plugin-nordica-cms - npm
strapi-plugin-nordica-deep - npm
strapi-plugin-nordica-lite - npm
strapi-plugin-nordica-recon - npm
strapi-plugin-nordica-stage - npm
strapi-plugin-nordica-sync - npm
strapi-plugin-nordica-tools - npm
strapi-plugin-nordica-vhost - npm
strapi-plugin-notify - npm
strapi-plugin-seed - npm
strapi-plugin-server - npm
strapi-plugin-sitemap-gen - npm
strapi-plugin-sync
npm-2026-04-15-strapi-pluginsSource advisory - npm
- High15 Apr 20261 package tracked
@kindo/selfbot npm package delivers XWorm RAT via 5-stage Astral Warfare chain
JFrog identified
@kindo/selfbot(XRAY-964727), a video-game-themed Discord selfbot npm package. A 5-stage chain (JS downloader → 250KB obfuscated batch → PowerShell process injection → XOR-decoded shellcode → XWormClient .NET RAT) installed itself againstexplorer.exewith AMSI/ETW evasion.npmAffected packages1 package · 5 versions
- npm
@kindo/selfbot1.0.01.0.11.0.21.0.31.0.4
npm-2026-04-15-kindo-selfbot-xwormSource advisory - npm
- High14 Apr 20265 packages tracked
5 NuGet packages impersonate Chinese .NET UI libraries with infostealer payload
NuGet publisher
bmrxntfjshipped five packages on 14 April 2026 within ~13 seconds, grafting a .NET Reactor-protected infostealer onto decompiled legitimate libraries. Across 219 total versions they accumulated ~65k downloads, targeting browser creds, crypto wallets, and SSH keys on Windows .NET dev hosts.NuGetAffected packages5 packages · 5 versions
- NuGet
IR.DantUI2.1.55 - NuGet
IR.Infrastructure.Core2.1.55 - NuGet
IR.Infrastructure.DataService.Core2.1.55 - NuGet
IR.iplus322.1.55 - NuGet
IR.OscarUI2.1.55
nuget-2026-04-14-chinese-ui-impersonatorsSource advisory - NuGet
- High7 Apr 202614 packages tracked
DPRK Contagious Interview campaign expands across 5 ecosystems
Socket disclosed a fresh wave of DPRK Contagious Interview / FAMOUS CHOLLIMA packages spanning npm, PyPI, Go modules, crates.io, and Packagist. They impersonate logging / license developer tooling and act as staged loaders for credential stealers and RATs across Windows, macOS and Linux. The Windows variant deploys a keylogger and AnyDesk for hands-on access.
crates.ioGonpmPackagistPyPIAffected packages14 packages · 6 versions
- PyPI
apachelicense0.1a1 - npm
debug-fmt - npm
debug-glitz - npm
dev-log-core1.0.5 - PyPI
fluxhttp - Go
github.com/aokisasakidev/mit-license-pkg1.0.2 - Go
github.com/golangorg/formstash1.0.5 - Packagist
golangorg/logkit - PyPI
license-utils-kit0.1rc3 - npm
logger-base - npm
logkitx - crates.io
logtrace1.0.2 - PyPI
logutilkit - npm
pino-debugger
multi-2026-04-07-contagious-interview-5-ecosystemsSource advisory - PyPI
- Medium5 Apr 20261 package tracked
hermes-px PyPI "privacy" AI proxy steals prompts via stolen university infra
JFrog detected
hermes-px, masquerading as a privacy-preserving AI proxy. It routed requests through Tor to a stolen Tunisian university API and bundled a 246K-character Anthropic Claude system prompt rebranded as "AXIOM-1". It simultaneously exfiltrated all prompts/responses unencrypted to a Supabase endpoint, bypassing Tor and exposing user IPs.PyPIAffected packages1 package · 0 versions
- PyPI
hermes-px
pypi-2026-04-05-hermes-pxSource advisory - PyPI
- Critical31 Mar 20264 packages tracked
Axios npm compromise (North Korea-nexus RAT)
Lead-maintainer account compromised via social engineering. Two malicious axios releases pulled in plain-crypto-js, whose postinstall fetched a cross-platform RAT from sfrclak[.]com:8000. Microsoft + Google attribute to Sapphire Sleet / UNC1069 (North Korea-nexus). Live for ~3 hours; ~100M weekly downloads in scope.
npmAffected packages4 packages · 8 versions
- npm
@qqbrowser/openclaw-qbot0.0.130 - npm
@shadanai/openclaw2026.3.28-22026.3.28-32026.3.31-12026.3.31-2 - npm
axios1.14.10.30.4 - npm
plain-crypto-js4.2.1
npm-2026-03-axiosSource advisory - npm
- High31 Mar 20261 package tracked
LofyGang returns with undicy-http typosquat delivering dual-payload RAT
JFrog tied
undicy-http@2.0.0(a typosquat ofundici) to the Brazil-based LofyGang group last seen in 2022. The package pairs a Node.js WebSocket RAT with a nativechromelevator.exebinary that uses direct syscalls for process hollowing, then injects browser credential stealers targeting 50+ browsers and 90+ wallet extensions.npmAffected packages1 package · 1 version
- npm
undicy-http2.0.0
npm-2026-03-31-undicy-lofygangSource advisory - npm
- Critical27 Mar 20261 package tracked
Telnyx Python SDK hides credential stealer in WAV-file steganography
TeamPCP published malicious
telnyx4.87.1 and 4.87.2 to PyPI on 27 March 2026 (~670k monthly downloads). Trojanised_client.pydownloads steganographic payloads disguised as.wavfiles over plaintext HTTP, extracts the credential stealer, and persists. Windows variant dropsmsbuild.exeto the Startup folder; Linux variant uses a user-level systemd service. AES-256-CBC + RSA-4096 envelope for exfil.PyPIAffected packages1 package · 2 versions
- PyPI
telnyx4.87.14.87.2
pypi-2026-03-27-telnyx-teampcpSource advisory - PyPI
- Critical24 Mar 20261 package tracked
LiteLLM PyPI backdoored as TeamPCP cascade reaches Python
TeamPCP used credentials harvested from the Trivy compromise to publish trojanised
litellm1.82.7 and 1.82.8 to PyPI on 24 March 2026 (~10:39 and 10:52 UTC). Malicious wheels drop alitellm_init.pthfile in site-packages, executing a credential stealer at every Python interpreter start. PyPI quarantined the packages ~40 minutes after publication. Attackers later claimed ~500,000 credentials from this single compromise. LiteLLM averages ~3M daily downloads and ships in ~36% of cloud environments.PyPIAffected packages1 package · 2 versions
- PyPI
litellm1.82.71.82.8
pypi-2026-03-24-litellm-teampcpSource advisory - PyPI
- High24 Mar 20265 packages tracked
5 npm typosquats target Solana + Ethereum dev libraries, exfil keys to Telegram
npm publisher
galedonovanshipped five typosquats of legitimate crypto libraries. Each transparently intercepts private keys passed through normal API calls (Base58 decoding for Solana, Wallet construction for Ethereum), exfiltrates them to a hardcoded Telegram bot, then returns the expected result so functionality looks normal.npmAffected packages5 packages · 4 versions
- npm
base_xd - npm
base-x-640.0.6 - npm
bs58-basic6.0.1 - npm
ethersproject-wallet5.8.1 - npm
raydium-bs581.9.7
npm-2026-03-24-solana-ethereum-typosquatsSource advisory - npm
- High23 Mar 20262 packages tracked
Checkmarx KICS GitHub Actions trojanised by TeamPCP
Between 12:58 and 16:50 UTC on 23 March 2026, TeamPCP hijacked 35 tags in the Checkmarx
ast-github-actionandkics-github-actionrepos to push a credential stealer, leveraging tokens stolen from the Trivy compromise. CI/CD pipelines using either Action during the window executed the stealer before the legitimate scan.GitHub ActionsAffected packages2 packages · 0 versions
- GitHub Actions
checkmarx/ast-github-action - GitHub Actions
checkmarx/kics-github-action
github-actions-2026-03-23-checkmarx-kicsSource advisory - GitHub Actions
- Critical20 Mar 202629 packages tracked
CanisterWorm: @emilgroup and @teale.io npm publisher compromise (29+ packages)
An attacker compromised the @emilgroup and @teale.io npm namespaces, replacing 58 package-versions with a Python backdoor that polls an Internet Computer Protocol (ICP) canister for follow-on payloads. The implant persists via user-level systemd and includes worm-style republishing via deploy.js. Wiz later linked the tradecraft to TeamPCP; Socket declined firm attribution.
npmAffected packages29 packages · 58 versions
- npm
@emilgroup/account-sdk1.41.11.41.2 - npm
@emilgroup/account-sdk-node1.40.11.40.2 - npm
@emilgroup/accounting-sdk-node1.26.11.26.2 - npm
@emilgroup/api-documentation1.19.11.19.2 - npm
@emilgroup/auth-sdk1.25.11.25.2 - npm
@emilgroup/auth-sdk-node1.21.11.21.2 - npm
@emilgroup/billing-sdk1.56.11.56.2 - npm
@emilgroup/billing-sdk-node1.57.11.57.2 - npm
@emilgroup/claim-sdk1.41.11.41.2 - npm
@emilgroup/claim-sdk-node1.39.11.39.2 - npm
@emilgroup/customer-sdk1.54.11.54.2 - npm
@emilgroup/customer-sdk-node1.55.11.55.2 - npm
@emilgroup/document-sdk1.45.11.45.2 - npm
@emilgroup/document-sdk-node1.43.11.43.2 - npm
@emilgroup/gdv-sdk2.6.12.6.2 - npm
@emilgroup/insurance-sdk1.97.11.97.2 - npm
@emilgroup/insurance-sdk-node1.95.11.95.2 - npm
@emilgroup/notification-sdk-node1.4.11.4.2 - npm
@emilgroup/partner-portal-sdk-node1.1.11.1.2 - npm
@emilgroup/partner-sdk-node1.19.11.19.2 - npm
@emilgroup/payment-sdk1.15.11.15.2 - npm
@emilgroup/payment-sdk-node1.23.11.23.2 - npm
@emilgroup/process-manager-sdk-node1.13.11.13.2 - npm
@emilgroup/public-api-sdk1.33.11.33.2 - npm
@emilgroup/public-api-sdk-node1.35.11.35.2 - npm
@emilgroup/tenant-sdk1.34.11.34.2 - npm
@emilgroup/tenant-sdk-node1.33.11.33.2 - npm
@emilgroup/translation-sdk-node1.1.11.1.2 - npm
@teale.io/eslint-config1.8.91.8.10
npm-2026-03-20-canisterworm-emilgroup-tealeSource advisory - npm
- Critical19 Mar 20263 packages tracked
Trivy GitHub Action + Docker images compromised — start of TeamPCP cascade
Aqua Security's Trivy scanner was compromised on 19 March 2026 by the threat actor self-identifying as TeamPCP. The attacker force-pushed 76 of 77 tags in
aquasecurity/trivy-action(only @0.35.0 survived) and all 7 tags inaquasecurity/setup-trivyto malicious commits, then published trojanised Trivy binary 0.69.4 + Docker images 0.69.5/0.69.6/latest. A stolen Argon-DevOps-Mgt service-account token seeded the downstream LiteLLM, Telnyx, Bitwarden CLI, and Checkmarx compromises.DockerGitHub ActionsAffected packages3 packages · 4 versions
- Docker
aquasec/trivy0.69.40.69.50.69.6latest - GitHub Actions
aquasecurity/setup-trivy - GitHub Actions
aquasecurity/trivy-action
github-actions-2026-03-19-trivy-teampcp-cascadeSource advisory - Docker
- High18 Mar 20262 packages tracked
GlassWorm sleeper extensions activate on Open VSX
Roughly 40 malicious VS Code extensions surfaced March 14-18, 2026: 20+ new extensions, ~20 previously dormant sleepers activated, plus 11 extensionPack droppers. The campaign hosts VSIX payloads on attacker-controlled GitHub releases to evade registry takedowns. Publishing accounts:
laura6909,martina0094,chiara585,francesca898.Open VSXAffected packages2 packages · 3 versions
- Open VSX
96-studio.json-formatter0.0.20.0.4 - Open VSX
lauracode.wrap-selected-code0.0.2
openvsx-2026-03-18-glassworm-sleeperSource advisory - Open VSX
- High13 Mar 2026Feed-only · no version-specific detection
GlassWorm: 72+ Open VSX extensions weaponised via transitive loaders
Socket linked at least 72 additional malicious Open VSX extensions to the GlassWorm campaign. Newer variants use
extensionPack/extensionDependenciesfields to transitively pull GlassWorm loaders rather than embedding malware directly. Obfuscation rotated to RC4 + base64 with keys delivered in HTTP response headers.openvsx-2026-03-13-glassworm-transitiveSource advisory - Medium12 Mar 20266 packages tracked
6 malicious Packagist OphimCMS themes ship trojanised jQuery and FUNNULL redirects
Six Composer packages from the
ophimcmsorganisation posed as OphimCMS themes containing trojanised jQuery. The payload exfiltrates URLs, injects ads, and redirects mobile traffic via OFAC-sanctioned FUNNULL infrastructure. Combined ~2,750 installs.PackagistAffected packages6 packages · 6 versions
- Packagist
ophimcms/theme-dy1.0.0 - Packagist
ophimcms/theme-legend1.0.0 - Packagist
ophimcms/theme-motchill1.0.0 - Packagist
ophimcms/theme-mtyy1.0.0 - Packagist
ophimcms/theme-pcc1.2.2 - Packagist
ophimcms/theme-rrdyw1.0.0
packagist-2026-03-12-ophimcms-themesSource advisory - Packagist
- Medium28 Feb 20265 packages tracked
5 malicious Rust crates pose as time utilities to exfiltrate .env files
Five crates published between late February and early March 2026 posed as local time utilities while exfiltrating .env files via
curlto a lookalike domaintimeapis.io(typosquattingtimeapi.io). All packages were 0.1.0 and yanked within hours. Account aliases:gehakax777,dictorudin.crates.ioAffected packages5 packages · 5 versions
- crates.io
chrono_anchor0.1.0 - crates.io
dnp3times0.1.0 - crates.io
time_calibrator0.1.0 - crates.io
time_calibrators0.1.0 - crates.io
time-sync0.1.0
crates-2026-02-28-time-utility-typosquatsSource advisory - crates.io
- High27 Feb 202626 packages tracked
StegaBin: 26 npm typosquats use Pastebin steganography to deliver Contagious Interview RAT
Socket disclosed 26 typosquatted npm packages tied to North Korea's Contagious Interview / FAMOUS CHOLLIMA cluster. The loader decodes steganographically-encoded Pastebin URLs to resolve C2 hosted across 31 Vercel deployments, then retrieves a 9-module infostealer and RAT toolkit.
npmAffected packages26 packages · 26 versions
- npm
argonist0.41.0 - npm
bcryptance6.5.2 - npm
bee-quarl2.1.2 - npm
bubble-core6.26.2 - npm
corstoken2.14.7 - npm
daytonjs1.11.20 - npm
ether-lint5.9.4 - npm
expressjs-lint5.3.2 - npm
fastify-lint5.8.0 - npm
formmiderable3.5.7 - npm
hapi-lint19.1.2 - npm
iosysredis5.13.2 - npm
jslint-config10.22.2 - npm
jsnwebapptoken8.40.2 - npm
kafkajs-lint2.21.3 - npm
loadash-lint4.17.24 - npm
mqttoken5.40.2 - npm
prism-lint7.4.2 - npm
promanage6.0.21 - npm
sequelization6.40.2 - npm
typoriem0.4.17 - npm
undicy-lint7.23.1 - npm
uuindex13.1.0 - npm
vitetest-lint4.1.21 - npm
windowston3.19.2 - npm
zoddle4.4.2
npm-2026-02-27-stegabin-contagious-interviewSource advisory - npm
- Critical20 Feb 202619 packages tracked
SANDWORM_MODE: 19 npm typosquats with self-spreading worm + AI toolchain poisoning
Socket disclosed a Shai-Hulud-style self-propagating worm spread across at least 19 typosquatted npm packages from accounts
official334andjavaorg. It harvests CI secrets and crypto keys, propagates via stolen npm/GitHub tokens, and injects prompt-injection logic into MCP servers used by AI coding assistants.npmAffected packages19 packages · 19 versions
- npm
claud-code0.2.1 - npm
cloude0.3.0 - npm
cloude-code0.2.1 - npm
crypto-locale1.0.0 - npm
crypto-reader-info1.0.0 - npm
detect-cache1.0.0 - npm
format-defaults1.0.0 - npm
hardhta1.0.0 - npm
locale-loader-pro1.0.0 - npm
naniod1.0.0 - npm
node-native-bridge1.0.0 - npm
opencraw2026.2.17 - npm
parse-compat1.0.0 - npm
rimarf1.0.0 - npm
scan-store1.0.0 - npm
secp2561.0.0 - npm
suport-color1.0.1 - npm
veim2.46.2 - npm
yarsg18.0.1
npm-2026-02-20-sandworm-modeSource advisory - npm
- High17 Feb 20261 package tracked
cline npm package hijacked via "Clinejection" prompt-injection chain
An attacker abused an unsanitised AI issue-triage GitHub Actions workflow on the Cline repo to poison the release pipeline cache and steal the npm publish token. They published
cline@2.3.0with a postinstall script that globally installed the second-stage packageopenclaw. ~90k weekly downloads; live for ~8 hours before Cline rotated the token and shipped 2.4.0.npmAffected packages1 package · 1 version
- npm
cline2.3.0
npm-2026-02-17-cline-clinejectionSource advisory - npm
- High11 Feb 202630 packages tracked
Lazarus "graphalgo" fake-recruiter campaign (npm + PyPI)
ReversingLabs attributed an ongoing fake-recruiter campaign (active since May 2025, reported Feb 2026) to North Korea's Lazarus Group (overlapping Jade Sleet / UNC4899). Crypto, JavaScript, and Python developers are lured via LinkedIn/Reddit/Facebook into interview "coding tasks" that pull a token-protected RAT loader from npm and PyPI. ~192 malicious packages attributed in total; bigmathutils alone passed 10,000 downloads.
npmPyPIAffected packages30 packages · 44 versions
- npm
bigmathex - npm
bigmathix - npm
bigmathlib - npm
bigmathutils1.0.01.1.0 - npm
bignumberx - npm
bignumex - npm
bignumx - PyPI
bigpyx - npm
graphalgo2.2.5-pre2.2.62.2.72.2.82.2.92.2.102.2.11 - PyPI
graphalgo-py3.5.1rc0.dev03.5.23.5.33.5.53.5.6 - npm
graphchain - PyPI
graphdict - PyPI
graphex3.5.73.5.83.5.93.5.10 - npm
graphflowx - npm
graphflux - npm
graphhub - npm
graphkitx - npm
graphlibcore2.2.62.2.72.2.82.2.92.2.102.2.11 - PyPI
graphlibx - npm
graphnet - npm
graphnetworkx2.1.62.1.72.1.82.1.92.1.102.1.11 - PyPI
graphnode - npm
graphorbit - npm
graphorithm2.2.62.2.72.2.82.2.9 - npm
graphrix - npm
graphstruct2.2.62.2.72.2.8 - PyPI
graphsync - npm
netstruct2.1.62.1.8 - npm
terminal-kleur - npm
terminalcolor2562.0.22.0.32.1.02.2.02.2.6
multi-2026-02-11-lazarus-graphalgoSource advisory - npm
- Medium5 Feb 20263 packages tracked
Polymarket SDK typosquats on crates.io
Three crates impersonating
polymarket-client-sdkwere published between 5 and 19 February 2026 and exfiltrated local credential files. The malicious crates were yanked and publisher accounts disabled. Combined downloads stayed under 100, but targeting was high-value (Polymarket / Web3 developers).crates.ioAffected packages3 packages · 0 versions
- crates.io
polymarket-client-sdks - crates.io
polymarket-clients-sdk - crates.io
polymarkets-client-sdk
crates-2026-02-05-polymarket-typosquatsSource advisory - crates.io
- Critical27 Jan 20262 packages tracked
dYdX v4-client npm + PyPI compromise (wallet stealer + RAT)
Maintainer credentials for the dYdX decentralized exchange were compromised; malicious versions of the official v4 client were pushed to npm and PyPI in a coordinated release. The npm payload exfiltrates wallet seed phrases through a malicious
createRegistry()function. The PyPI variant additionally drops a Python RAT executed on import.npmPyPIAffected packages2 packages · 6 versions
- npm
@dydxprotocol/v4-client-js1.0.311.15.21.22.13.4.1 - PyPI
dydx-v4-client1.1.5.post11.1.5post1
multi-2026-01-27-dydx-compromiseSource advisory - npm
- High17 Jan 20261 package tracked
sympy-dev PyPI typosquat delivering XMRig cryptominer
A PyPI typosquat of SymPy was published by the account "Nanit" across four versions on Jan 17, 2026. It fetches a remote JSON config, downloads an ELF, and executes it from a memfd to evade disk-based detection. The payload is XMRig mining Monero on infected developer workstations.
PyPIAffected packages1 package · 4 versions
- PyPI
sympy-dev1.2.31.2.41.2.51.2.6
pypi-2026-01-17-sympy-dev-minerSource advisory - PyPI
- Critical15 Sept 2025197 packages tracked
Original Shai-Hulud npm worm
First successful self-propagating worm in the npm ecosystem. Downstream of the August 2025 s1ngularity/Nx GitHub-token theft. The postinstall hook ran TruffleHog to harvest secrets, opened public GitHub repos named "Shai-Hulud" to publish them, force-converted private repos to public with a "-migration" suffix, and used stolen npm tokens to publish malicious versions of any package the maintainer could access. ~180 unique packages compromised across 300+ versions, including CrowdStrike's own scope (@crowdstrike/*).
npmAffected packages197 packages · 509 versions
- npm
@ahmedhfarag/ngx-perfect-scrollbar20.0.20 - npm
@ahmedhfarag/ngx-virtual-scroller4.0.4 - npm
@art-ws/common2.0.28 - npm
@art-ws/config-eslint2.0.42.0.5 - npm
@art-ws/config-ts2.0.72.0.8 - npm
@art-ws/db-context2.0.24 - npm
@art-ws/di2.0.282.0.32 - npm
@art-ws/di-node2.0.13 - npm
@art-ws/eslint1.0.51.0.6 - npm
@art-ws/fastify-http-server2.0.242.0.27 - npm
@art-ws/http-server2.0.212.0.25 - npm
@art-ws/openapi0.1.90.1.12 - npm
@art-ws/package-base1.0.51.0.6 - npm
@art-ws/prettier1.0.51.0.6 - npm
@art-ws/slf2.0.152.0.22 - npm
@art-ws/ssl-info1.0.91.0.10 - npm
@art-ws/web-app1.0.31.0.4 - npm
@basic-ui-components-stc/basic-ui-components1.0.5 - npm
@crowdstrike/commitlint8.1.18.1.2 - npm
@crowdstrike/falcon-shoelace0.4.10.4.2 - npm
@crowdstrike/foundry-js0.19.10.19.2 - npm
@crowdstrike/glide-core0.34.20.34.3 - npm
@crowdstrike/logscale-dashboard1.205.11.205.2 - npm
@crowdstrike/logscale-file-editor1.205.11.205.2 - npm
@crowdstrike/logscale-parser-edit1.205.11.205.2 - npm
@crowdstrike/logscale-search1.205.11.205.2 - npm
@crowdstrike/tailwind-toucan-base5.0.15.0.2 - npm
@ctrl/deluge7.2.17.2.2 - npm
@ctrl/golang-template1.4.21.4.3 - npm
@ctrl/magnet-link4.0.34.0.4 - npm
@ctrl/ngx-codemirror7.0.17.0.2 - npm
@ctrl/ngx-csv6.0.16.0.2 - npm
@ctrl/ngx-emoji-mart9.2.19.2.2 - npm
@ctrl/ngx-rightclick4.0.14.0.2 - npm
@ctrl/qbittorrent9.7.19.7.2 - npm
@ctrl/react-adsense2.0.12.0.2 - npm
@ctrl/shared-torrent6.3.16.3.2 - npm
@ctrl/tinycolor4.1.14.1.2 - npm
@ctrl/torrent-file4.1.14.1.2 - npm
@ctrl/transmission7.3.1 - npm
@ctrl/ts-base324.0.14.0.2 - npm
@hestjs/core0.2.1 - npm
@hestjs/cqrs0.1.6 - npm
@hestjs/demo0.1.2 - npm
@hestjs/eslint-config0.1.2 - npm
@hestjs/logger0.1.6 - npm
@hestjs/scalar0.1.7 - npm
@hestjs/validation0.1.6 - npm
@nativescript-community/arraybuffers1.1.61.1.71.1.8 - npm
@nativescript-community/gesturehandler2.0.35 - npm
@nativescript-community/perms3.0.53.0.63.0.73.0.83.0.9 - npm
@nativescript-community/sentry4.6.43 - npm
@nativescript-community/sqlite3.5.23.5.33.5.43.5.5 - npm
@nativescript-community/text1.6.91.6.101.6.111.6.121.6.13 - npm
@nativescript-community/typeorm0.2.300.2.310.2.320.2.33 - npm
@nativescript-community/ui-collectionview6.0.6 - npm
@nativescript-community/ui-document-picker1.1.271.1.2813.0.32 - npm
@nativescript-community/ui-drawer0.1.30 - npm
@nativescript-community/ui-image4.5.6 - npm
@nativescript-community/ui-label1.3.351.3.361.3.37 - npm
@nativescript-community/ui-material-bottom-navigation7.2.727.2.737.2.747.2.75 - npm
@nativescript-community/ui-material-bottomsheet7.2.72 - npm
@nativescript-community/ui-material-core7.2.727.2.737.2.747.2.757.2.76 - npm
@nativescript-community/ui-material-core-tabs7.2.727.2.737.2.747.2.757.2.76 - npm
@nativescript-community/ui-material-ripple7.2.727.2.737.2.747.2.75 - npm
@nativescript-community/ui-material-tabs7.2.727.2.737.2.747.2.75 - npm
@nativescript-community/ui-pager14.1.3614.1.3714.1.38 - npm
@nativescript-community/ui-pulltorefresh2.5.42.5.52.5.62.5.7 - npm
@nexe/config-manager0.1.1 - npm
@nexe/eslint-config0.1.1 - npm
@nexe/logger0.1.3 - npm
@nstudio/angular20.0.420.0.520.0.6 - npm
@nstudio/focus20.0.420.0.520.0.6 - npm
@nstudio/nativescript-checkbox2.0.62.0.72.0.82.0.9 - npm
@nstudio/nativescript-loading-indicator5.0.15.0.25.0.35.0.4 - npm
@nstudio/ui-collectionview5.1.115.1.125.1.135.1.14 - npm
@nstudio/web20.0.4 - npm
@nstudio/web-angular20.0.4 - npm
@nstudio/xplat20.0.520.0.620.0.7 - npm
@nstudio/xplat-utils20.0.520.0.620.0.7 - npm
@operato/board9.0.369.0.379.0.389.0.399.0.409.0.419.0.429.0.439.0.449.0.459.0.46 - npm
@operato/data-grist9.0.299.0.359.0.369.0.37 - npm
@operato/graphql9.0.229.0.359.0.369.0.379.0.389.0.399.0.409.0.419.0.429.0.439.0.449.0.459.0.46 - npm
@operato/headroom9.0.29.0.359.0.369.0.37 - npm
@operato/help9.0.359.0.369.0.379.0.389.0.399.0.409.0.419.0.429.0.439.0.449.0.459.0.46 - npm
@operato/i18n9.0.359.0.369.0.37 - npm
@operato/input9.0.279.0.359.0.369.0.379.0.389.0.399.0.409.0.419.0.429.0.439.0.449.0.459.0.469.0.479.0.48 - npm
@operato/layout9.0.359.0.369.0.37 - npm
@operato/popup9.0.229.0.359.0.369.0.379.0.389.0.399.0.409.0.419.0.429.0.439.0.449.0.459.0.469.0.49 - npm
@operato/pull-to-refresh9.0.369.0.379.0.389.0.399.0.409.0.419.0.42 - npm
@operato/shell9.0.229.0.359.0.369.0.379.0.389.0.39 - npm
@operato/styles9.0.29.0.359.0.369.0.37 - npm
@operato/utils9.0.229.0.359.0.369.0.379.0.389.0.399.0.409.0.419.0.429.0.439.0.449.0.459.0.469.0.49 - npm
@teselagen/bio-parsers0.4.290.4.30 - npm
@teselagen/bounce-loader0.3.160.3.17 - npm
@teselagen/file-utils0.3.210.3.22 - npm
@teselagen/liquibase-tools0.4.1 - npm
@teselagen/ove0.7.390.7.40 - npm
@teselagen/range-utils0.3.140.3.15 - npm
@teselagen/react-list0.8.190.8.20 - npm
@teselagen/react-table6.10.196.10.206.10.216.10.22 - npm
@teselagen/sequence-utils0.3.330.3.34 - npm
@teselagen/ui0.9.90.9.10 - npm
@thangved/callback-window1.1.4 - npm
@things-factory/attachment-base9.0.429.0.439.0.449.0.459.0.469.0.479.0.489.0.499.0.509.0.519.0.529.0.539.0.549.0.55 - npm
@things-factory/auth-base9.0.429.0.439.0.449.0.45 - npm
@things-factory/email-base9.0.429.0.439.0.449.0.459.0.469.0.479.0.489.0.499.0.509.0.519.0.529.0.539.0.549.0.559.0.569.0.579.0.589.0.59 - npm
@things-factory/env9.0.429.0.439.0.449.0.45 - npm
@things-factory/integration-base9.0.429.0.439.0.449.0.45 - npm
@things-factory/integration-marketplace9.0.429.0.439.0.449.0.45 - npm
@things-factory/shell9.0.429.0.439.0.449.0.45 - npm
@tnf-dev/api1.0.8 - npm
@tnf-dev/core1.0.8 - npm
@tnf-dev/js1.0.8 - npm
@tnf-dev/mui1.0.8 - npm
@tnf-dev/react1.0.8 - npm
@ui-ux-gang/devextreme-angular-rpk24.1.7 - npm
@yoobic/design-system6.5.17 - npm
@yoobic/jpeg-camera-es61.0.13 - npm
@yoobic/yobi8.7.53 - npm
airchief0.3.1 - npm
airpilot0.8.8 - npm
angulartics214.1.114.1.2 - npm
browser-webdriver-downloader3.0.8 - npm
capacitor-notificationhandler0.0.20.0.3 - npm
capacitor-plugin-healthapp0.0.20.0.3 - npm
capacitor-plugin-ihealth1.1.81.1.9 - npm
capacitor-plugin-vonage1.0.21.0.3 - npm
capacitorandroidpermissions0.0.40.0.5 - npm
config-cordova0.8.5 - npm
cordova-plugin-voxeet21.0.24 - npm
cordova-voxeet1.0.32 - npm
create-hest-app0.1.9 - npm
db-evo1.1.41.1.5 - npm
devextreme-angular-rpk21.2.8 - npm
devextreme-rpk21.2.8 - npm
ember-browser-services5.0.25.0.3 - npm
ember-headless-form1.1.21.1.3 - npm
ember-headless-form-yup1.0.1 - npm
ember-headless-table2.1.52.1.6 - npm
ember-url-hash-polyfill1.0.121.0.13 - npm
ember-velcro2.2.12.2.2 - npm
encounter-playground0.0.20.0.30.0.40.0.5 - npm
eslint-config-crowdstrike11.0.211.0.3 - npm
eslint-config-crowdstrike-node4.0.34.0.4 - npm
eslint-config-teselagen6.1.76.1.8 - npm
globalize-rpk1.7.4 - npm
graphql-sequelize-teselagen5.3.85.3.9 - npm
html-to-base64-image1.0.2 - npm
json-rules-engine-simplified0.2.10.2.30.2.4 - npm
jumpgate0.0.2 - npm
koa2-swagger-ui5.11.15.11.2 - npm
mcfly-semantic-release1.3.1 - npm
mcp-knowledge-base0.0.2 - npm
mcp-knowledge-graph1.2.1 - npm
mobioffice-cli1.0.3 - npm
monorepo-next13.0.113.0.2 - npm
mstate-angular0.4.4 - npm
mstate-cli0.4.7 - npm
mstate-dev-react1.1.1 - npm
mstate-react1.6.5 - npm
ng2-file-upload7.0.27.0.38.0.18.0.28.0.39.0.1 - npm
ngx-bootstrap18.1.419.0.319.0.420.0.320.0.420.0.520.0.6 - npm
ngx-color10.0.110.0.2 - npm
ngx-toastr19.0.119.0.2 - npm
ngx-trend8.0.1 - npm
ngx-ws1.1.51.1.6 - npm
oradm-to-gql35.0.1435.0.15 - npm
oradm-to-sqlz1.1.21.1.4 - npm
ove-auto-annotate0.0.90.0.10 - npm
pm2-gelf-json1.0.41.0.5 - npm
printjs-rpk1.6.1 - npm
react-complaint-image0.0.320.0.340.0.35 - npm
react-jsonschema-form-conditionals0.3.180.3.200.3.21 - npm
react-jsonschema-form-extras1.0.31.0.4 - npm
react-jsonschema-rxnt-extras0.4.80.4.9 - npm
remark-preset-lint-crowdstrike4.0.14.0.2 - npm
rxnt-authentication0.0.30.0.40.0.50.0.6 - npm
rxnt-healthchecks-nestjs1.0.21.0.31.0.41.0.5 - npm
rxnt-kue1.0.41.0.51.0.61.0.7 - npm
swc-plugin-component-annotate1.9.11.9.2 - npm
tbssnch1.0.2 - npm
teselagen-interval-tree1.1.2 - npm
tg-client-query-builder2.14.42.14.5 - npm
tg-redbird1.3.11.3.2 - npm
tg-seq-gen1.0.91.0.10 - npm
thangved-react-grid1.0.3 - npm
ts-gaussian3.0.53.0.6 - npm
ts-imports1.0.11.0.2 - npm
tvi-cli0.1.5 - npm
ve-bamreader0.2.60.2.7 - npm
ve-editor1.0.11.0.2 - npm
verror-extra6.0.1 - npm
voip-callkit1.0.21.0.3 - npm
wdio-web-reporter0.1.3 - npm
yargs-help-output5.0.3 - npm
yoo-styles6.0.326
npm-2025-09-shai-hulud-originalSource advisory - npm
Sources cited per card. We only list package versions named by the original advisory; we don't infer compromises. Missing something? Send it in.