Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in api-ts-utils

Malware was discovered in the npm package api-ts-utils. Systems with this package installed or running should be considered fully compromised and require immediate remediation.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with api-ts-utils installed or running
Ecosystems
Attack vectors
Affected entities
  • api-ts-utils

The npm package api-ts-utils was found to contain malware. According to the GitHub Security Advisory (GHSA-3w2r-9f5g-prj8), any computer with this package installed or running should be considered fully compromised.\n\nThe advisory recommends that all secrets and keys stored on affected computers be rotated immediately from a different, uncompromised system. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise.\n\nUsers should assume full system compromise and take appropriate defensive measures accordingly.

Indicators of compromise

Packages
  • api-ts-utils

Remediation

  • Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer
  • Remove the api-ts-utils package from all affected systems
  • Perform a full security audit and malware scan of any system that had this package installed
  • Review system logs and network traffic for signs of unauthorized access or data exfiltration
  • Consider the affected system(s) potentially compromised and plan for full rebuild if critical infrastructure

Sources

  1. GitHub Advisory GHSA-3w2r-9f5g-prj8 · GitHub Advisory Database

Cite this entry

"Malware in api-ts-utils." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 3, 2026; last updated July 3, 2026. https://supplychainattack.org/incident/malware-in-api-ts-utils-kjame4

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malware in @lodash-en/lodash-en

    Malware was discovered in the npm package @lodash-en/lodash-en. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. activecritical

    Malware in @sqlite-node/createsql

    Malware was discovered in the npm package @sqlite-node/createsql. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  3. activecritical

    Malware in @sql-access/nodesql

    Malware discovered in the npm package @sql-access/nodesql. Systems with this package installed are considered fully compromised, with potential for complete system takeover.

    npmCompromised package
  4. containedcritical

    Malware in typescript-util-core

    The npm package typescript-util-core was found to contain malware, potentially giving attackers full control of affected systems. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package