Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

Malware in node-vfs-polyfill

Malware discovered in the npm package node-vfs-polyfill. Systems with this package installed are considered fully compromised and require immediate remediation.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with node-vfs-polyfill installed or running
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • node-vfs-polyfill

The npm package node-vfs-polyfill has been identified as containing malware. According to the GitHub Advisory (GHSA-89vx-wfvc-j58f), any computer with this package installed or running should be considered fully compromised.\n\nThe advisory recommends that all secrets and keys stored on affected computers be rotated immediately from a different, uncompromised system. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise.\n\nThis represents a critical supply chain attack through a compromised npm package with potential for complete system compromise.

Indicators of compromise

Packages
  • node-vfs-polyfill

Remediation

  • Immediately isolate any system with node-vfs-polyfill installed from the network
  • Rotate all secrets, API keys, and credentials from a different, uncompromised computer
  • Remove the node-vfs-polyfill package from all systems
  • Perform a full security audit and malware scan of affected systems
  • Review system logs and access logs for signs of unauthorized activity
  • Consider full system reimaging if the system handles sensitive data or credentials

Sources

  1. GitHub Advisory GHSA-89vx-wfvc-j58f · GitHub Advisory Database

Cite this entry

"Malware in node-vfs-polyfill." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 24, 2026; last updated June 24, 2026. https://supplychainattack.org/incident/malware-in-node-vfs-polyfill-1jl8sk

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    Malware in tailwind-textform-fill

    Malware discovered in the npm package tailwind-textform-fill. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. activecritical

    Malware in postcss-minify-selector

    Malware discovered in the npm package postcss-minify-selector. The package is considered to provide full system compromise to any computer where it is installed or running.

    npmCompromised package
  3. activecritical

    Malware in vscode-test-web

    Malware discovered in the npm package vscode-test-web. The package grants full system compromise to attackers, requiring immediate removal and credential rotation from a clean system.

    npmCompromised package
  4. containedcritical

    Malware in opt-archetype-check

    Malware was discovered in the npm package opt-archetype-check, resulting in full system compromise for any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.

    npmCompromised package