Feed
HighPublished 8 Jul 2026Updated 9 Jul 202620 packages · 254 versions

GitHub Advisory malware sweep — 20 npm packages (Claude-Code / Vue-CLI "clavue" typosquat cluster, `na-rony` throwaway sextet, tailwind-core, common-tg-service six-month sleeper) taken down 2026-07-08 / 2026-07-09

Summary

On 2026-07-08 and 2026-07-09 GitHub's Advisory Database retired ~20 CWE-506 Embedded Malicious Code npm advisories, continuing the July take-down cadence at ~20 packages/day. Two distinct clusters: a clavue / Claude-Code typosquat family (myclaude-code, clavue, clavuepro, calvuepro, clavue-agent-sdk) targeting Anthropic AI CLI developers; and a *`na-rony throwaway sextet** — six packages published by one operator between 2026-07-08 03:22–03:39 UTC. Plus a tailwind-core typosquat carrying a real 4.3.x version history and the six-month sleeper common-tg-service` with 547 versions.

typosquatcredential-theftdependency-confusion
Detected by
GitHub Advisory Database · npm Security
Also known as
2026-07-08 GHSA npm sweep · 2026-07-09 GHSA npm sweep
Ecosystems
npm
Packages tracked
20

What happened

Between 2026-07-08 and 2026-07-09 GitHub's Advisory Database published ~20 CWE-506 (Embedded Malicious Code) advisories against npm packages. Every record uses the standard "any computer that has this package installed or running should be considered fully compromised — rotate all secrets from a different computer" boilerplate. No payload write-ups accompany the GHSA texts, so defenders should treat install-time behavior as unanalyzed and assume worst case for any host that resolved these names. Combined with the 2026-07-07 sweep (~65 packages) and the 2026-07-06 sweep (~155 packages), the running July 1–9 npm-malware retirement count is ~270 packages across 7 GHSA sweeps.

Cluster 1 — Claude-Code / clavue typosquat family (campaign highlight, 5 packages)

myclaude-code, clavue, clavuepro, calvuepro, clavue-agent-sdk. Every one carries the same tell: a legitimate-looking multi-week version history burst followed by a final malicious publish. myclaude-code shipped 55 sequential versions (8.8.8 → 8.8.57 including 12 8.8.43-beta.N pre-releases) over multiple days — a persistent publish cadence that mimics an actively developed CLI. clavue carried 320+ versions spanning three months (April–July 2026) across dozens of minor-version branches (8.8.x, 8.9.x, up to 10.4.x) — the scale of a real long-lived library. clavue-agent-sdk released 29 versions from 0.2.2 up to 2.2.0 in a version-camouflage arc mimicking an SDK maturity path. calvuepro and clavuepro shipped short — calvuepro at 0.1.0, clavuepro had all versions unpublished before GHSA retire.

The target namespace is Anthropic's Claude Code CLI. myclaude-code is a direct typosquat of the vendor's @anthropic-ai/claude-code. clavue and its variants are visual typos of "claude" that a hurried developer might mistype or a plausible auto-complete miss — the letters l-a-v-u-e rearrange to l-a-u-d-e minus one character. clavue-agent-sdk extends the visual-typo playbook into the Anthropic Agent SDK naming space. Anyone who searched npm for a Claude Code CLI helper in July 2026 could plausibly have landed on one of these fakes rather than the vendor package.

Cluster 2 — na-rony* throwaway sextet (2026-07-08 03:22–03:39 UTC single-operator burst)

na-rony, na-rony-test, na-rony-test-karem, nam-os-a-man, karem-dp, rony-testing. All six published in a 17-minute window on 2026-07-08. Three landed straight on the dependency-confusion race version 99.9.9 (karem-dp, na-rony-test, rony-testing). Others had 1.1.x histories (na-rony@1.1.21.1.5).

The shared name-tokens (karem, rony, nam) suggest a targeted attack against an internal package namespace that uses those name-tokens — the operator seeded every plausible variant they could think of. This is a canonical Alex Birsan-style dependency-confusion attack. The 99.9.9 pin is the giveaway: intentionally the highest possible version to win a semver resolver race against any legitimate internal package of the same name.

Cluster 3 — Long-term sleeper: common-tg-service (547 versions, 16 months)

common-tg-service shipped 547 versions across 16 months (2025-03-05 → 2026-07-08) in four release branches:

  • 1.0.11.0.101 (101 releases, 2025-03-05 → 2025-06-12 — ~1 release/day)
  • 1.1.11.1.99 (99 releases, 2025-06-12 → 2025-08-08)
  • 1.2.11.2.100 (100 releases, 2025-08-08 → 2025-09-13)
  • 1.3.11.3.247 (247 releases, 2025-09-13 → 2026-07-08 — ~10 months of steady drip)

No legitimate Telegram service library ships at that cadence. The scale and duration are the giveaway: this is a supply-chain-farming account seeded well ahead of use, letting the package accumulate a plausible "actively-maintained" appearance before the final malicious tag lands. Any dep-graph tooling that ranks packages by "activity" or "release frequency" would have rated common-tg-service highly.

Cluster 4 — tailwind-core (version-history typosquat with 4.3.x alignment)

tailwind-core@0.0.0, 4.3.0, 4.3.1, 4.3.2. The version numbers 4.3.0–4.3.2 are deliberately aligned to the real tailwindcss 4.3.x release train (2026-Q2), giving the fake plausible version-number legitimacy against anyone searching npm for "tailwind core". The canonical Tailwind slugs are tailwindcss (main) and @tailwindcss/* scoped official plugins — there is no first-party tailwind-core package.

Cluster 5 — Continuations from earlier July sweeps

  • promo-helper@1.0.01.0.16 — 16 sequential versions.
  • ams-ssk@1.0.01.0.33 (gap at 1.0.10, 1.0.30, 1.0.32) — 32 versions.
  • mci-sdk@1.2.81.2.13 — 6 versions.
  • @vite-ln/build-ts@5.15.10, 5.17.0 — scoped throwaway (@vite-ln) targeting Vite naming space.
  • vite-json-pwa@1.1.1, 1.1.2 — Vite PWA plugin squat; canonical is vite-plugin-pwa.
  • gas-log@1.1.0, 1.1.1 — GAS (Google Apps Script) log helper squat.

Cluster 6 — @calm2026/imux scoped throwaway

@calm2026/imux@1.9.1, 1.10.0, 1.10.2, 1.10.3, 1.10.4, 1.11.0. Six versions of an "imux" package in a throwaway @calm2026 scope. Scoped throwaway namespaces indicate an operator farming a specific naming space for one payload slot at a time — same pattern as the @sqlite-list/* / @sqlite-access/* continuations from the 2026-07-07 sweep.

Contrast with recent sweeps

| Date | Packages | Notes | |---|---|---| | 2026-07-02 | 9 | Tailwind + db-* cluster | | 2026-07-03 | 14 | TypeScript / API family + @sql-* scopes | | 2026-07-06 | ~155 | Largest 2026 sweep | | 2026-07-07 | ~65 | AI-SDK typosquats + Solana base58 | | 2026-07-08 / 2026-07-09 | ~20 | Claude-Code typosquat cluster + na-rony sextet + common-tg-service sleeper |

Registry state

Every package now resolves to a 0.0.1-security holding tarball owned by npm Security. Historical version tarballs may remain fetchable from the CDN for 24–72 hours after the security replacement lands and should be treated as live malware in any lockfile hit.

Affected packages (20)

  • npm@calm2026/imux
    1.9.11.10.01.10.21.10.31.10.41.11.0
  • npm@vite-ln/build-ts
    5.15.105.17.0
  • npmams-ssk
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.111.0.121.0.131.0.141.0.151.0.161.0.171.0.181.0.191.0.201.0.211.0.221.0.231.0.241.0.251.0.261.0.271.0.281.0.291.0.311.0.33
  • npmcalvuepro
    0.1.0
  • npmclavue
    8.8.578.9.08.9.18.9.29.0.09.0.19.0.29.0.39.0.49.0.59.0.69.0.79.1.09.1.19.2.09.2.19.2.29.2.39.2.49.3.09.4.09.4.19.4.29.4.39.4.49.4.59.4.69.4.79.4.89.4.99.4.109.4.119.5.09.5.19.5.29.6.09.6.19.7.09.7.19.7.29.7.39.8.09.8.19.9.09.10.09.10.19.10.29.10.39.10.49.11.09.11.19.11.29.11.39.11.49.11.59.11.69.11.79.12.09.13.09.14.09.14.19.15.09.16.09.22.09.26.010.0.110.0.210.0.310.0.410.1.010.1.110.1.210.1.310.2.010.2.110.2.210.2.310.2.410.3.010.3.110.3.210.4.010.4.110.4.2
  • npmclavue-agent-sdk
    0.2.20.2.30.2.40.2.50.2.60.2.70.2.80.2.90.3.00.3.10.4.00.5.00.6.00.6.10.7.00.7.10.7.20.7.30.7.40.8.00.9.01.0.11.0.21.0.31.0.41.0.51.0.62.0.02.2.0
  • npmclavuepro
    1.0.0
  • npmcommon-tg-service
    1.0.1011.1.991.2.1001.3.247
  • npmgas-log
    1.1.01.1.1
  • npmkarem-dp
    99.9.9
  • npmmci-sdk
    1.2.81.2.91.2.101.2.111.2.121.2.13
  • npmmyclaude-code
    8.8.88.8.98.8.118.8.128.8.138.8.148.8.168.8.178.8.188.8.198.8.208.8.218.8.228.8.238.8.248.8.258.8.268.8.278.8.288.8.308.8.318.8.328.8.338.8.348.8.358.8.378.8.388.8.398.8.408.8.418.8.428.8.43-beta.08.8.43-beta.18.8.43-beta.28.8.43-beta.38.8.43-beta.48.8.43-beta.58.8.43-beta.68.8.43-beta.78.8.43-beta.88.8.43-beta.98.8.43-beta.108.8.43-beta.118.8.448.8.458.8.468.8.478.8.488.8.498.8.508.8.518.8.528.8.538.8.548.8.558.8.568.8.57
  • npmna-rony
    1.1.21.1.31.1.41.1.599.9.9
  • npmna-rony-test
    99.9.9
  • npmna-rony-test-karem
    1.0.0
  • npmnam-os-a-man
    1.0.0
  • npmpromo-helper
    1.0.01.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.0.151.0.16
  • npmrony-testing
    99.9.9
  • npmtailwind-core
    0.0.04.3.04.3.14.3.2
  • npmvite-json-pwa
    1.1.11.1.2

Impact

  • Any host that installed any of the ~20 packages listed below should be treated as fully compromised — every GHSA record uses the boilerplate CWE-506 "rotate all secrets from a different computer" language, and no patched version exists for any of them
  • Claude-Code / clavue typosquat cluster — five names (myclaude-code, clavue, clavuepro, calvuepro, clavue-agent-sdk) targeting developers using Anthropic's Claude Code CLI. clavue shipped 320+ versions across three months (April–July 2026), presenting as a "clave"-style credential-manager library before landing the final poisoned publish. clavue-agent-sdk shipped 29 legitimate-looking versions from 0.2.2 up to 2.2.0 in a version-camouflage arc that mimics a real Agent SDK release history. myclaude-code published ~55 sequential versions (8.8.8–8.8.57 including 12 beta pre-releases) — a persistent multi-day publish burst designed to look like an active project. Anyone who typed npm install claude-code, clavue, or clavue-agent-sdk when they meant @anthropic-ai/claude-code grabbed malware
  • *`na-rony throwaway sextet** — six packages published in a 17-minute window on 2026-07-08 03:22–03:39 UTC by one operator: na-rony, na-rony-test, na-rony-test-karem, nam-os-a-man, karem-dp, rony-testing. Half went straight to the placeholder version 99.9.9 (the classic dependency-confusion race pin — a version so high it wins the resolver against any internal namesake). Others had 1.1.x histories. Signature of a single operator seeding a naming space, likely for a targeted org — the shared karem / rony / nam` tokens suggest human-name-based internal package targeting
  • common-tg-service — a 547-version six-month sleeper. Published across four release branches (1.0.x, 1.1.x, 1.2.x, 1.3.x) between 2025-03-05 and 2026-07-08 — 16 months of camouflage before the final malicious publish. The scale (547 versions, ~1.5/day sustained cadence) is the giveaway: no legitimate Telegram service library releases at that rate. Almost certainly a supply-chain-farming account seeded well ahead of use
  • tailwind-core typosquat — carried versions 0.0.0, 4.3.0, 4.3.1, 4.3.2. The 4.3.x range deliberately overlaps the real tailwindcss 4.3.x release train (2026-Q2), giving the fake plausible version-number legitimacy against anyone searching for "tailwind core". The canonical slugs are tailwindcss (main) and @tailwindcss/* (scoped official plugins) — there is no first-party tailwind-core package
  • Continuation packages from earlier July sweeps: promo-helper (1.0.0–1.0.16), ams-ssk (1.0.0–1.0.33, no 1.0.10 or 1.0.30), mci-sdk (1.2.8–1.2.13), @vite-ln/build-ts (5.15.10, 5.17.0 — Vite naming space), vite-json-pwa (1.1.1, 1.1.2 — Vite PWA plugin squat), gas-log (1.1.0, 1.1.1)
  • @calm2026 scoped throwaway@calm2026/imux shipped 6 versions (1.9.1 → 1.11.0) in the imux naming space; scoped throwaway namespaces (@calm2026) are a strong indicator that the operator was farming a specific naming space for one payload slot at a time
  • Long-tail live-time slugs: common-tg-service was live for 16 months, clavue for 3 months, clavue-agent-sdk for weeks with 29 progressively-published versions. Anyone using a version-range resolver (^1.0.0, latest) that pulled the final poisoned tag would have installed malware on the first npm install after the retire date

What to do

  1. 1Grep every lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml) for each name in the packages map below. Any match is a supply-chain incident: rotate every credential the build runner could reach and re-image the build host
  2. 2If you resolved any of myclaude-code, clavue, clavuepro, calvuepro, or clavue-agent-sdk: these are not legitimate AI CLI packages. The canonical Anthropic slug is @anthropic-ai/claude-code — no other Claude-adjacent name should resolve on npm. Rotate every Anthropic API key, GitHub PAT, and shell-history-visible secret that touched the affected host
  3. 3If your build resolved any na-rony*, nam-os-a-man, karem-dp, or rony-testing name: these are targeted dependency-confusion attempts (three of the six landed on 99.9.9). Any internal package with a similar name at your org should be treated as a potential leak of the internal naming — audit private-registry logs for who was resolving that name and when. Rotate CI/CD secrets on any host that ran an affected install
  4. 4If your build resolved tailwind-core@4.3.x: the canonical Tailwind package is tailwindcss (the main framework) or @tailwindcss/* for official plugins. The 4.3.x version alignment was chosen to look plausible against the real Tailwind 4.3 release train — check any CSS-tooling dependency added recently against the official Tailwind registry entry
  5. 5If your build resolved common-tg-service: the six-month version history was camouflage. Assume malware was live from the final poisoned tag onward — check the exact resolved version in your lockfile against the retired advisory. Any Telegram bot / channel token that was reachable from the build host should be rotated
  6. 6@vite-ln/build-ts and vite-json-pwa are typosquats of the Vite / Vite PWA ecosystem. The canonical Vite scope is vite and @vitejs/*; PWA plugin is vite-plugin-pwa. Any recent Vite plugin addition should be cross-checked against these official slugs
  7. 7Verify none of the ~20 listed packages still resolves via your private mirror — internal Artifactory / Nexus / Verdaccio instances routinely cache tarballs and will keep serving the malicious versions after the public yank

References

npm-2026-07-08-ghsa-malware-sweep