Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in @kl-dolphin/swim

Malware was discovered in the npm package @kl-dolphin/swim, resulting in full system compromise of any computer with the package installed or running. The advisory recommends immediate removal of the package and rotation of all secrets and keys from a different computer.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with the package installed or running
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • @kl-dolphin/swim

A malware incident was identified in the npm package @kl-dolphin/swim, published as GitHub Advisory GHSA-rr7c-77w4-j8c8 on June 24, 2026.\n\nAccording to the advisory, any computer with this package installed or running should be considered fully compromised. The malware grants outside entities full control of affected systems.\n\nImmediate remediation steps include removing the package and rotating all secrets and keys from a different, unaffected computer. However, the advisory notes that removal of the package may not eliminate all malicious software that resulted from the installation, given the level of system compromise.\n\nUsers should assume complete loss of confidentiality and integrity on any system where this package was present.

Indicators of compromise

Packages
  • @kl-dolphin/swim

Remediation

  • Remove the @kl-dolphin/swim package immediately from all systems
  • Rotate all secrets, keys, and credentials from a different, unaffected computer
  • Assume full system compromise and conduct forensic analysis
  • Review system logs and network traffic for signs of unauthorized access or data exfiltration
  • Consider rebuilding affected systems from clean media if possible

Sources

  1. GitHub Advisory GHSA-rr7c-77w4-j8c8 · GitHub Advisory Database

Cite this entry

"Malware in @kl-dolphin/swim." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 24, 2026; last updated June 24, 2026. https://supplychainattack.org/incident/malware-in-kl-dolphin-swim-1eddrh

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    Malware in pretie_x2

    The npm package pretie_x2 contains malware that grants full control of affected systems. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package
  2. activecritical

    Malware in node-vfs-polyfill

    Malware discovered in the npm package node-vfs-polyfill. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  3. activecritical

    Malware in markdownlint-cli2-fix

    Malware was discovered in the npm package markdownlint-cli2-fix. Systems with this package installed or running should be considered fully compromised and require immediate remediation.

    npmCompromised package
  4. containedcritical

    Malware in react-simple-utils-kit

    The npm package react-simple-utils-kit contained malware that provided full system compromise to attackers. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated immediately.

    npmCompromised package