Malware in @su-doughnym/hubspot-loginui-poc
The npm package @su-doughnym/hubspot-loginui-poc contained malware that provided full system compromise to attackers. All systems with this package installed should be considered fully compromised and require immediate remediation.
- Disclosed
- Last updated
- Blast radius
- Any system with the package installed or running
- Ecosystems
- Attack vectors
- Affected entities
- @su-doughnym/hubspot-loginui-poc
The npm package @su-doughnym/hubspot-loginui-poc was found to contain malware. According to the GitHub advisory, any computer with this package installed or running should be considered fully compromised, with potential for complete system takeover by an outside entity.\n\nThe malware grants attackers full control of affected systems. All secrets, keys, and credentials stored on compromised machines should be rotated immediately from a different, unaffected computer.\n\nWhile the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the initial compromise. A full security audit and potential system rebuild may be necessary for affected systems.
Indicators of compromise
- Packages
- @su-doughnym/hubspot-loginui-poc
Remediation
- Immediately remove the @su-doughnym/hubspot-loginui-poc package from all systems
- Rotate all secrets, keys, and credentials from a different, unaffected computer
- Assume full system compromise and conduct a thorough security audit of affected machines
- Consider rebuilding affected systems from clean media if full compromise is suspected
- Review system logs and network traffic for signs of unauthorized access or data exfiltration
- Monitor for any lateral movement or persistence mechanisms installed by the malware
Sources
- GitHub Advisory GHSA-jgj9-pm28-4m94 · GitHub Advisory Database
Cite this entry
"Malware in @su-doughnym/hubspot-loginui-poc." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 25, 2026; last updated June 25, 2026. https://supplychainattack.org/incident/malware-in-su-doughnym-hubspot-loginui-poc-e82lgk
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @su-doughnym/react-dlb
The npm package @su-doughnym/react-dlb contains malware that grants full system compromise to an outside entity. Any computer with this package installed or running should be considered fully compromised and all secrets and keys should be rotated immediately from a different computer.
npmCompromised package - activecritical
Malware in nabisco
The npm package 'nabisco' contains malware that grants full system compromise to an outside entity. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package - containedcritical
Malware in @su-doughnym/metrics-js
Malware was discovered in the npm package @su-doughnym/metrics-js. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - activecritical
Malware in hs-locale-management
The npm package hs-locale-management contains malware that grants full control of affected systems. Any computer with this package installed should be considered fully compromised.
npmCompromised package