Malware in argoncrypt
The npm package argoncrypt was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.
- Disclosed
- Last updated
- Blast radius
- Any system with argoncrypt installed or running
- Ecosystems
- Attack vectors
- Affected entities
- argoncryptnpm package containing malware
The npm package argoncrypt was identified as containing malware. According to the GitHub advisory, any computer that has this package installed or running should be considered fully compromised.\n\nThe advisory recommends that all secrets and keys stored on affected computers be rotated immediately from a different, unaffected computer. While the package should be removed, the advisory notes that full control of the computer may have been given to an outside entity, so there is no guarantee that removing the package will remove all malicious software resulting from the installation.\n\nThis represents a critical supply chain attack through a compromised npm package with potential for widespread impact across all systems where argoncrypt was installed.
Indicators of compromise
- Packages
- argoncrypt
Remediation
- Immediately rotate all secrets and keys from a different, unaffected computer
- Remove the argoncrypt package from all affected systems
- Conduct a full security audit of any system that had argoncrypt installed
- Monitor affected systems for signs of unauthorized access or persistence mechanisms
- Consider full system reimaging if compromise is suspected
Sources
- GitHub Advisory GHSA-h3m2-g8jh-9p37 · GitHub Advisory Database
Cite this entry
"Malware in argoncrypt." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 10, 2026; last updated June 10, 2026. https://supplychainattack.org/incident/malware-in-argoncrypt-crib43
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedcritical
Malware in flow-lending
The npm package flow-lending was found to contain malware, resulting in full system compromise of any computer with the package installed or running. GitHub Security Advisory GHSA-pgcr-8w67-72j9 was published on 2026-06-16.
npmCompromised package - containedcritical
Malware in flow-lending-sdk
Malware was discovered in the npm package flow-lending-sdk. Systems with this package installed or running are considered fully compromised, with potential for complete system takeover.
npmCompromised package - containedcritical
Malware in janus-flow
Malware was discovered in the npm package janus-flow, resulting in full system compromise of any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.
npmCompromised package - containedcritical
Malware in ttspc-server-sample
The npm package ttspc-server-sample contains malware that grants full control of affected systems. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package