Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in comos-sdk

Malware was discovered in the npm package comos-sdk, resulting in full system compromise for any installation. The package should be removed and all secrets and keys rotated from a clean system.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with comos-sdk installed or running
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • comos-sdk

A malware-laden version of the npm package comos-sdk was identified and published to the npm registry. Installation or execution of this package grants an outside entity full control of the affected computer.\n\nAny system with comos-sdk installed or running should be considered fully compromised. All secrets, keys, and credentials stored on affected systems must be rotated immediately from a different, uncompromised computer.\n\nWhile the package should be removed, complete remediation cannot be guaranteed due to the potential for persistent malicious software to remain on the system after package removal.\n\nThe incident was disclosed via GitHub Advisory GHSA-xr7v-2mxc-cw5x on 2026-06-09.

Indicators of compromise

Packages
  • comos-sdk

Remediation

  • Immediately remove the comos-sdk package from all systems
  • Rotate all secrets, keys, and credentials from a clean, uncompromised computer
  • Assume full system compromise and conduct forensic analysis
  • Monitor affected systems for signs of persistent malware or unauthorized access
  • Review system logs for any suspicious activity during the period comos-sdk was installed

Sources

  1. GitHub Advisory GHSA-xr7v-2mxc-cw5x · GitHub Advisory Database

Cite this entry

"Malware in comos-sdk." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 9, 2026; last updated June 9, 2026. https://supplychainattack.org/incident/malware-in-comos-sdk-15vzh4

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    Malware in @doaction/auth

    Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. containedcritical

    Malware in @doaction/shared

    Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  3. containedcritical

    Malware in transacts

    The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.

    npmCompromised package
  4. containedcritical

    Malware in buffer-utilities

    Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.

    npmCompromised package