Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

Malware in string-morph

Malware discovered in the npm package string-morph. Systems with this package installed are considered fully compromised and require immediate remediation.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with string-morph installed or running
Ecosystems
Attack vectors
Affected entities
  • string-morph

The npm package string-morph has been identified as containing malware. According to the GitHub Advisory (GHSA-ggfx-72x6-p884), any computer with this package installed or running should be considered fully compromised.\n\nThe advisory recommends immediate rotation of all secrets and keys from a different, uncompromised computer. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise.\n\nThis is a critical supply chain incident affecting the npm ecosystem, with potential for widespread impact across all systems that have installed or executed this package.

Indicators of compromise

Packages
  • string-morph

Remediation

  • Immediately isolate any system with string-morph installed from the network
  • Rotate all secrets, API keys, and credentials from a different, uncompromised computer
  • Remove the string-morph package from all affected systems
  • Conduct a full security audit and malware scan of affected systems
  • Review system logs and access patterns for signs of unauthorized activity
  • Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if critical systems are involved

Sources

  1. GitHub Advisory GHSA-ggfx-72x6-p884 · GitHub Advisory Database

Cite this entry

"Malware in string-morph." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 14, 2026; last updated July 14, 2026. https://supplychainattack.org/incident/malware-in-string-morph-14p6b8

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedcritical

    Malware in @logdna-web/styles

    Malware was discovered in the npm package @logdna-web/styles. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. activecritical

    Malware in @flex-ng/filter-pipe

    Malware discovered in the npm package @flex-ng/filter-pipe. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  3. activecritical

    Malware in @idms-corp/auth-ui

    Malware discovered in the npm package @idms-corp/auth-ui. Systems with this package installed are considered fully compromised, with potential for complete system takeover.

    npmCompromised package
  4. activecritical

    Malware in salesforce-vscode-slds

    Malware was discovered in the npm package salesforce-vscode-slds. Any system with this package installed is considered fully compromised and poses a critical risk to stored secrets and keys.

    npmCompromised package