Malware in poc-publish-test-su-doughnym
Malware was discovered in the npm package poc-publish-test-su-doughnym. Any computer with this package installed or running should be considered fully compromised, requiring immediate rotation of all secrets and keys from a different system.
- Disclosed
- Last updated
- Blast radius
- Any system with the package installed or running
- Ecosystems
- Attack vectors
- Affected entities
- poc-publish-test-su-doughnym
A malicious npm package named poc-publish-test-su-doughnym was identified and published to the npm registry. The package contains malware that grants full control of affected systems to an outside entity.\n\nAny computer that has installed or executed this package should be considered fully compromised. All secrets, keys, and credentials stored on affected systems must be rotated immediately from a different, uncompromised computer.\n\nWhile the package should be removed, complete remediation cannot be guaranteed due to the potential for the malware to have established persistent access or additional backdoors on the compromised system.\n\nThe incident was disclosed via GitHub Advisory GHSA-fg75-hmqx-qfw9 on 2026-06-25.
Indicators of compromise
- Packages
- poc-publish-test-su-doughnym
Remediation
- Immediately remove the poc-publish-test-su-doughnym package from all systems
- Rotate all secrets, API keys, credentials, and tokens from a different, uncompromised computer
- Conduct a full security audit of any system that had this package installed
- Monitor affected systems for signs of persistent malware or unauthorized access
- Review package dependencies to identify any other potentially compromised packages
- Consider full system reimaging if the package was installed on production or sensitive systems
Sources
- GitHub Advisory GHSA-fg75-hmqx-qfw9 · GitHub Advisory Database
Cite this entry
"Malware in poc-publish-test-su-doughnym." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 25, 2026; last updated June 25, 2026. https://supplychainattack.org/incident/malware-in-poc-publish-test-su-doughnym-18aya8
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @su-doughnym/react-dlb
The npm package @su-doughnym/react-dlb contains malware that grants full system compromise to an outside entity. Any computer with this package installed or running should be considered fully compromised and all secrets and keys should be rotated immediately from a different computer.
npmCompromised package - activecritical
Malware in nabisco
The npm package 'nabisco' contains malware that grants full system compromise to an outside entity. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package - containedcritical
Malware in @su-doughnym/metrics-js
Malware was discovered in the npm package @su-doughnym/metrics-js. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - activecritical
Malware in hs-locale-management
The npm package hs-locale-management contains malware that grants full control of affected systems. Any computer with this package installed should be considered fully compromised.
npmCompromised package