GitHub Advisory malware sweep — ~65 npm packages (AI-SDK typosquat cluster, Solana base58/wallet drainers, SQLite scoped fakes, Nuxt/Chai continuation) taken down 2026-07-07 / 2026-07-08
On 2026-07-07 GitHub's Advisory Database retired ~65 CWE-506 Embedded Malicious Code npm advisories (plus a small 2-package 2026-07-08 tail), the second-largest single-day 2026 GHSA npm-malware sweep after 2026-07-06. Distinct clusters: an AI-SDK typosquat family (openai-agents-helpers, ollama-helpers, anthropic-toolkit, @langgraphjs/toolkit, ai-sdk-helpers, mcp-server-pg), Solana base58 wallet-drainer names, @sqlite-list/* / @sqlite-access/* throwaway scopes, Nuxt/Chai continuations, plus the whs4_* sextet.
- Detected by
- GitHub Advisory Database · npm Security
- Also known as
- 2026-07-07 GHSA npm sweep · 2026-07-08 GHSA npm sweep
- Ecosystems
- npm
- Packages tracked
- 62
What happened
Between 2026-07-07 and 2026-07-08 GitHub's Advisory Database published ~65 CWE-506 (Embedded Malicious Code) advisories against npm packages, running to about the same size as the 2026-07-06 sweep. Every record uses the standard "any computer that has this package installed or running should be considered fully compromised — rotate all secrets from a different computer" boilerplate. No payload write-ups accompany the GHSA texts, so defenders should treat install-time behavior as unanalyzed and assume worst case for any host that resolved these names.
Cluster 1 — AI SDK typosquats (6 packages, campaign highlight)
openai-agents-helpers, ollama-helpers, anthropic-toolkit, @langgraphjs/toolkit, ai-sdk-helpers, mcp-server-pg. All six carry the exact same tell: a version-camouflage history burst (20+ throwaway versions rapidly published over a few minutes in June to look like a mature library) followed by a fresh malicious 1.x.x publish at 2026-07-07 13:22 UTC — every one in the same 3-minute window. Example: ai-sdk-helpers published 22 versions on 2026-06-03 20:31 UTC (all 4-second intervals — a bulk-publish script), then bumped 1.4.4 → 1.4.5 on 2026-07-07 13:22:25. The pattern targets latest-tag pulls and ^-range resolvers: any repo pinned to the previous version tag would upgrade to the poisoned tag on the next npm install. The legitimate SDK slugs those names impersonate: openai (OpenAI SDK), ollama, @anthropic-ai/sdk, @langchain/langgraph, ai (Vercel AI SDK), @modelcontextprotocol/server-postgres.
Cluster 2 — Solana base58 wallet-drainer (5 packages)
base58-core@1.0.0–1.0.12 (12 versions, 2026-06-24 → 2026-07-05), base58-cli@1.0.0–1.0.5, crypto-base58@1.0.0–1.0.4, typescript-base58@1.0.0, solana-address-codec@1.0.0–1.0.5. All hit 1.0.x version ranges typical of a fresh crypto-helper package. Six weeks of live time on the "helper for Solana address encoding" naming space — anyone who searched npm for base58 and picked a helper-flavored slug (rather than the canonical bs58) is at risk. solana-address-codec in particular is a plausible drop-in for developers used to the Solana Kit ecosystem's @solana/addresses scoped package.
Cluster 3 — @sqlite-list/* / @sqlite-access/* scoped throwaways (4 packages)
@sqlite-list/schema-generator, @sqlite-list/createsql, @sqlite-list/sql-creator, @sqlite-access/nodesql. Direct continuation of the 2026-07-03 GHSA sweep's @sql-access/nodesql / @sqlite-node/createsql / @sql-trigger/nodesql cluster — same throwaway-scope model where each namespace holds exactly one malware slot. All four published between 2026-07-03 19:04 UTC and 19:40 UTC — one 36-minute burst. The operator behind the July 3 SQL-scoped cluster is still active.
Cluster 4 — Nuxt / dependency-confusion (7 packages, 99.0.x)
nuxt-fonts-devtools@99.0.3, load-nuxt@99.0.3, load-nuxt-dev@99.0.3, some-theme@99.0.3, nonexistent-package@99.0.3, hook-augmenting-module@99.0.3 (all 2026-07-03 04:33–04:44 UTC — 11-minute burst) and gen-ai-opt-in@99.0.0–99.0.2 (2026-07-05). The shared 99.0.x version-number is the giveaway: an intentionally-high version to win a dependency-confusion race against an internal package of the same name. This is a canonical Alex Birsan-style dependency-confusion attack — one operator, one build script, six near-simultaneous publishes targeting names that plausibly appear in a private Nuxt/Vue registry namespace at a target org.
Cluster 5 — Chai / Express / Tailwind continuations
- Chai:
chai-sdk@1.4.7/1.4.8,chai-spycore@1.1.0/1.5.3,chai-chain-dom@1.3.7–1.3.9. Continues thechai-as-*matcher-squat cluster from 2026-07-06. - Express:
express-firegate@1.3.5–1.6.9(12 versions running back to 2026-05-12),express-deflect@1.3.1–1.6.12(running back to 2026-05-12, then a 2026-07-06 top-up publish at 1.6.10/1.6.12). Fake middleware slugs — the legitimate Express security middleware ecosystem ishelmet,express-rate-limit,csurf. - Tailwind:
tailwind-animator-scroll@1.7.0(2026-06-11),tailwindcss-effector@1.7.0(2026-06-22). Continues the Tailwind theme from 2026-07-02.
Cluster 6 — whs4_* sextet (single-operator burst, 2026-07-05)
@whs4/whs4_npm, whs4_npm, whs4_pnm, whs4_nmp, wsh4-nmp, wsh4_npm, whs4_npm_test. All published between 15:03 and 15:38 UTC on 2026-07-05 — 35 minutes for one operator to grab every near-miss variant of the target slug (whs4_npm). This is either a CTF/testing account or a naming-space grab attempt. Whatever the intent, GHSA classified every one as CWE-506 embedded malicious code.
Cluster 7 — Miscellaneous (~30 packages)
The remainder is the usual long tail of individual typosquats and throwaway names: evm-typechain@0.5.4 (Ethereum tooling squat — the canonical slug is typechain), polytrade@2.4.1 (Polymarket-adjacent), hello244a (45 versions of a single-file publish burst), nodemon-node@3.1.16 and ts-await@3.1.8 (published 2026-07-07 19:49/19:51 UTC, both retired 2026-07-08 — a 24-hour turnaround GHSA sweep), runtimedev-link (13 versions), zredis-typed, zod-pino434/zod-pino444, pinokio-redis (Pino/Redis/Zod naming space), warp-dependency, sypoi1, syco1, polytrade, debugcli, tx-guard-snap, jsf-utils, notifier-utils, hello244a, rnx-align-deps, annotator-harvardx, shopify-internel (typosquat of @shopify/*), harmony-enablers-test-2026, @43uh3ig43/telemetry-client, brunomenozzi-test-pkg, @apexcraft/nano-key, @engagehub/test-claim, @engagehub/core, @aspect-security/argon2 (argon2 typosquat — dangerous given argon2 is a password-hashing lib).
Contrast with recent sweeps
| Date | Packages | Notes | |---|---|---| | 2026-06-30 | 5 | Small sweep | | 2026-07-02 | 9 | Tailwind + db-* cluster | | 2026-07-03 | 14 | TypeScript/API family + @sql-* scopes | | 2026-07-06 | ~155 | Largest 2026 sweep | | 2026-07-07 | ~65 | *AI-SDK typosquats + Solana base58 + `@sqlite-` continuation** |
Combined July 1–8 npm-malware retirement count: ~250 packages across 6 GHSA sweeps — a step-change in the platform's take-down cadence.
Registry state
Every package now resolves to a 0.0.1-security holding tarball owned by npm Security. Historical version tarballs may remain fetchable from the CDN as of 2026-07-08 and should be treated as live malware in any lockfile hit — the CDN retention window for withdrawn npm versions typically runs 24–72 hours after the security replacement lands.
Affected packages (62)
- npm
@43uh3ig43/telemetry-client99.0.1 - npm
@apexcraft/nano-key1.2.41.2.51.3.21.3.3 - npm
@aspect-security/argon21.0.01.0.1 - npm
@engagehub/core99.0.0 - npm
@engagehub/test-claim1.0.0 - npm
@langgraphjs/toolkit1.2.13 - npm
@sqlite-access/nodesql1.0.2 - npm
@sqlite-list/createsql1.0.0 - npm
@sqlite-list/schema-generator1.0.2 - npm
@sqlite-list/sql-creator1.0.61.0.7 - npm
ai-sdk-helpers1.4.5 - npm
annotator-harvardx9.0.2 - npm
anthropic-toolkit1.3.1 - npm
base58-cli1.0.01.0.11.0.21.0.31.0.41.0.5 - npm
base58-core1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.101.0.111.0.12 - npm
brunomenozzi-test-pkg1.0.0 - npm
chai-chain-dom1.3.71.3.81.3.9 - npm
chai-sdk1.4.71.4.8 - npm
chai-spycore1.1.01.5.3 - npm
crypto-base581.0.01.0.11.0.21.0.31.0.4 - npm
debugcli4.3.44.3.54.3.64.3.74.3.84.3.94.4.1 - npm
evm-typechain0.5.4 - npm
express-deflect1.3.11.6.91.6.101.6.12 - npm
express-firegate1.3.51.4.01.4.51.4.61.5.11.5.51.6.11.6.31.6.51.6.71.6.81.6.9 - npm
gen-ai-opt-in99.0.099.0.199.0.2 - npm
harmony-enablers-test-20261.0.0 - npm
hello244a1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.0.151.0.161.0.171.0.181.0.191.0.201.0.211.0.221.0.231.0.241.0.251.0.261.0.271.0.281.0.291.0.301.0.311.0.321.0.331.0.341.0.351.0.361.0.371.0.381.0.391.0.401.0.411.0.421.0.431.0.441.0.45 - npm
hook-augmenting-module99.0.3 - npm
jsf-utils0.3.11.3.1 - npm
load-nuxt99.0.3 - npm
load-nuxt-dev99.0.3 - npm
mcp-server-pg0.1.00.1.10.1.20.1.30.2.00.2.10.3.00.3.10.4.00.5.00.6.00.7.00.8.00.9.01.0.01.0.11.1.01.1.11.2.01.2.11.2.2 - npm
nodemon-node3.1.16 - npm
nonexistent-package99.0.3 - npm
notifier-utils1.3.71.3.81.3.91.4.0 - npm
nuxt-fonts-devtools99.0.3 - npm
ollama-helpers1.2.3 - npm
openai-agents-helpers1.3.3 - npm
pinokio-redis1.0.127 - npm
polytrade2.4.1 - npm
rnx-align-deps99.0.7 - npm
runtimedev-link1.0.01.0.11.0.21.0.31.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.14 - npm
shopify-internel99.0.1 - npm
solana-address-codec1.0.01.0.11.0.21.0.31.0.41.0.5 - npm
some-theme99.0.3 - npm
syco11.0.31.0.41.0.5 - npm
sypoi11.0.01.0.11.0.2 - npm
tailwind-animator-scroll1.7.0 - npm
tailwindcss-effector1.7.0 - npm
ts-await3.1.8 - npm
tx-guard-snap1.0.0 - npm
typescript-base581.0.0 - npm
warp-dependency1.0.01.0.1 - npm
whs4_nmp1.0.01.0.1 - npm
whs4_npm1.0.0 - npm
whs4_npm_test1.0.01.0.11.0.21.0.3 - npm
whs4_pnm1.0.0 - npm
wsh4_npm1.0.0 - npm
wsh4-nmp1.0.0 - npm
zod-pino4341.0.1271.0.128 - npm
zod-pino4441.0.1281.0.1291.0.1301.0.131 - npm
zredis-typed1.0.127
Impact
- Any host that installed any of the ~65 packages listed below should be treated as fully compromised — every GHSA record uses the boilerplate CWE-506 "rotate all secrets from a different computer" language, and no patched version exists for any of them
- The AI-SDK typosquat cluster (
openai-agents-helpers,ollama-helpers,anthropic-toolkit,@langgraphjs/toolkit,ai-sdk-helpers,mcp-server-pg) targets developers pasting AI SDK setup snippets. All six landed on their latest tag with a fresh1.x.xpublish at 2026-07-07 13:22 UTC — same 3-minute window, five of the six had accumulated 20+ prior versions in a version-history-camouflage burst on 2026-06-23 to 2026-06-29 to look legitimate before the malicious tag landed - The Solana base58 wallet-drainer cluster (
base58-core,base58-cli,crypto-base58,typescript-base58,solana-address-codec) has 30+ combined versions dating back to 2026-06-24 — six weeks of live time on a "helper for Solana address encoding" naming space. If anyone on a build host also holds a Solana wallet key, the exposure window is up to six weeks - The
@sqlite-list/*(schema-generator, createsql, sql-creator) and@sqlite-access/nodesqlcluster continues the 2026-07-03 GHSA sweep's@sql-access/nodesql/@sqlite-node/createsqlpattern — same throwaway-scope model, same "one malware slot per personal namespace" operator behavior, still active four days after the last take-down - The
whs4_*cluster (7 near-identical typosquats —whs4_npm,whs4_pnm,whs4_nmp,wsh4-nmp,wsh4_npm,whs4_npm_test,@whs4/whs4_npm) all published in a 30-minute window on 2026-07-05 15:03–15:38 UTC. Signature of a single operator or CTF/testing account grabbing every near-miss slug before publishing the final target - Continuation packages from earlier July sweeps:
chai-spycore,chai-sdk,chai-chain-dom(Chai matcher squats, extending the 2026-07-06 chai-as-* cluster);tailwind-animator-scroll,tailwindcss-effector(Tailwind theme, extending 2026-07-02 / 2026-07-06);express-firegate,express-deflect(Express middleware fakes, running since 2026-05-12) - The Nuxt cluster (
nuxt-fonts-devtools,load-nuxt,load-nuxt-dev,some-theme,nonexistent-package,hook-augmenting-module,gen-ai-opt-in) all shipped identical99.0.xversion numbers — the99.0.3collision across five names indicates one publisher, one build script, and a plausible dependency-confusion attempt targeting an internal Nuxt module namespace - Very-long-tail live-time slugs:
openai-agents-helpers/ollama-helpers(22+ prior burst versions),anthropic-toolkit(20+ burst versions),ai-sdk-helpers(24+ burst versions),@apexcraft/nano-key(4 versions across 10 days in June). Anyone using a version-range resolver (^1.0.0,latest) that pulled the final poisoned tag would have installed malware on the firstnpm installafter 2026-07-07 13:22 UTC
What to do
- 1Grep every lockfile (
package-lock.json,yarn.lock,pnpm-lock.yaml) for each name in the packages map below — ~65 names is too many to eyeball. Any match is a supply-chain incident: rotate every credential the build runner could reach and re-image the build host - 2If you resolved any of
openai-agents-helpers,ollama-helpers,anthropic-toolkit,@langgraphjs/toolkit,ai-sdk-helpers, ormcp-server-pg: these are not legitimate SDKs. The canonical AI-SDK slugs areopenai,ollama,@anthropic-ai/sdk,@langchain/langgraph,ai(Vercel), and@modelcontextprotocol/*scoped packages. Anyone who typed a plausible-sounding "helper" or "toolkit" variant grabbed malware — rotate every AI provider API key that touched the affected host - 3If your build ever resolved a
base58-*,crypto-base58,typescript-base58, orsolana-address-codecname: treat as a Solana wallet compromise. Any wallet key, seed phrase, or exchange API key on the machine should be moved. The legitimate slugs arebs58and@solana/web3.js - 4If your build resolved any
@sqlite-list/*or@sqlite-access/*name: the mainstream slugs arebetter-sqlite3,sqlite3, or@libsql/*. There is no legitimate@sqlite-listor@sqlite-accesspublisher scope on npm - 5For the Nuxt cluster (
nuxt-fonts-devtools,load-nuxt,load-nuxt-dev,some-theme,nonexistent-package,hook-augmenting-module,gen-ai-opt-in) — the tell is the shared99.0.3version pin. If you see any dep resolve to99.0.xon an unfamiliar Nuxt-adjacent package, treat as dependency-confusion malware and check whether any internal package of the same name should have won the resolution - 6Verify none of the ~65 listed packages still resolves via your private mirror — internal Artifactory / Nexus / Verdaccio instances routinely cache tarballs and will keep serving the malicious versions after the public yank
- 7Add the
@sqlite-list,@sqlite-access,@engagehub,@43uh3ig43, and the AI-SDK "helpers/toolkit/kit" suffix pattern to a review gate on any package addition — the malware operators have been farming these exact naming spaces across three consecutive weeks
References
- GitHubGitHub Advisory Database — recent npm malware advisoriesgithub.com
- GitHubGHSA-3mxc-g5f6-qr8c — openai-agents-helpers malware advisorygithub.com
- GitHubGHSA-73pg-hv45-6r54 — ollama-helpers malware advisorygithub.com
- GitHubGHSA-c7v6-f7mc-9crv — anthropic-toolkit malware advisorygithub.com
- GitHubGHSA-pq32-2vxj-cr62 — @langgraphjs/toolkit malware advisorygithub.com
- GitHubGHSA-w43g-ccrm-v8xv — ai-sdk-helpers malware advisorygithub.com
- GitHubGHSA-cfv7-74pc-vmff — mcp-server-pg malware advisorygithub.com
- GitHubGHSA-9jx5-jcp6-qmqq — solana-address-codec malware advisorygithub.com
- GitHubGHSA-3439-q8cv-mg5v — base58-core malware advisorygithub.com
- GitHubGHSA-frf3-wxv2-p559 — crypto-base58 malware advisorygithub.com
- GitHubGHSA-2859-847v-c4v9 — @sqlite-list/schema-generator malware advisorygithub.com
- GitHubGHSA-www8-7fg3-xg79 — @sqlite-list/createsql malware advisorygithub.com
- GitHubGHSA-m2mh-6v6x-qh4f — @sqlite-access/nodesql malware advisorygithub.com
- GitHubGHSA-hw4h-mjrw-4qv9 — nuxt-fonts-devtools malware advisorygithub.com
- GitHubGHSA-qqp7-wmv2-mp34 — load-nuxt malware advisorygithub.com
- GitHubGHSA-58j3-rgh4-9rjc — nodemon-node malware advisorygithub.com
- GitHubGHSA-xpmf-x27p-9vcc — ts-await malware advisorygithub.com
- GitHubGHSA-3wm9-8rfp-wp25 — whs4_npm malware advisorygithub.com
- GitHubGHSA-4fc4-v9cp-846x — @aspect-security/argon2 malware advisorygithub.com
- GitHubGHSA-r7mv-rcm7-x7m3 — polytrade malware advisorygithub.com