Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in nolimit-x

The npm package nolimit-x was compromised and distributed with malware. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated immediately from a different machine.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with nolimit-x installed
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • nolimit-xnpm package

The npm package nolimit-x was identified as containing malware and published on GitHub's advisory system (GHSA-cp8c-2xwh-q227) on 2026-06-25. According to the advisory, any computer that has this package installed or running should be considered fully compromised.\n\nThe advisory recommends that all secrets and keys stored on affected computers be rotated immediately from a different, uncompromised computer. While the package should be removed, the advisory notes that full control of the computer may have been given to an outside entity, meaning there is no guarantee that removing the package will remove all malicious software resulting from the installation.\n\nThis represents a critical supply chain compromise affecting the npm ecosystem.

Indicators of compromise

Packages
  • nolimit-x

Remediation

  • Immediately remove the nolimit-x package from all affected systems
  • Rotate all secrets, API keys, credentials, and signing keys from a different, uncompromised computer
  • Assume full system compromise and conduct forensic analysis
  • Monitor affected systems for signs of persistent malware or backdoors
  • Audit all activities and access logs from systems that had nolimit-x installed

Sources

  1. GitHub Advisory GHSA-cp8c-2xwh-q227 · GitHub Advisory Database

Cite this entry

"Malware in nolimit-x." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 25, 2026; last updated June 25, 2026. https://supplychainattack.org/incident/malware-in-nolimit-x-x8nr72

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    Malware in @su-doughnym/react-dlb

    The npm package @su-doughnym/react-dlb contains malware that grants full system compromise to an outside entity. Any computer with this package installed or running should be considered fully compromised and all secrets and keys should be rotated immediately from a different computer.

    npmCompromised package
  2. activecritical

    Malware in nabisco

    The npm package 'nabisco' contains malware that grants full system compromise to an outside entity. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package
  3. containedcritical

    Malware in @su-doughnym/metrics-js

    Malware was discovered in the npm package @su-doughnym/metrics-js. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  4. activecritical

    Malware in hs-locale-management

    The npm package hs-locale-management contains malware that grants full control of affected systems. Any computer with this package installed should be considered fully compromised.

    npmCompromised package