Malware in api-ts-utils
Malware was discovered in the npm package api-ts-utils. Systems with this package installed or running should be considered fully compromised and require immediate remediation.
- Disclosed
- Last updated
- Blast radius
- Any system with api-ts-utils installed or running
- Ecosystems
- Attack vectors
- Affected entities
- api-ts-utils
The npm package api-ts-utils was found to contain malware. According to the GitHub Security Advisory (GHSA-3w2r-9f5g-prj8), any computer with this package installed or running should be considered fully compromised.\n\nThe advisory recommends that all secrets and keys stored on affected computers be rotated immediately from a different, uncompromised system. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise.\n\nUsers should assume full system compromise and take appropriate defensive measures accordingly.
Indicators of compromise
- Packages
- api-ts-utils
Remediation
- Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer
- Remove the api-ts-utils package from all affected systems
- Perform a full security audit and malware scan of any system that had this package installed
- Review system logs and network traffic for signs of unauthorized access or data exfiltration
- Consider the affected system(s) potentially compromised and plan for full rebuild if critical infrastructure
Sources
- GitHub Advisory GHSA-3w2r-9f5g-prj8 · GitHub Advisory Database
Cite this entry
"Malware in api-ts-utils." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 3, 2026; last updated July 3, 2026. https://supplychainattack.org/incident/malware-in-api-ts-utils-kjame4
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malware in @lodash-en/lodash-en
Malware was discovered in the npm package @lodash-en/lodash-en. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - activecritical
Malware in @sqlite-node/createsql
Malware was discovered in the npm package @sqlite-node/createsql. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - activecritical
Malware in @sql-access/nodesql
Malware discovered in the npm package @sql-access/nodesql. Systems with this package installed are considered fully compromised, with potential for complete system takeover.
npmCompromised package - containedcritical
Malware in typescript-util-core
The npm package typescript-util-core was found to contain malware, potentially giving attackers full control of affected systems. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package