Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in swagger-express-routes

Malware was discovered in the npm package swagger-express-routes. Systems with this package installed or running should be considered fully compromised, requiring immediate rotation of all secrets and keys from a clean system.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with the package installed or running
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • swagger-express-routes

The npm package swagger-express-routes was found to contain malware. According to the GitHub advisory, any computer with this package installed or running should be considered fully compromised.\n\nImmediate action is required: all secrets and keys stored on affected computers must be rotated from a different, uncompromised system. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise.\n\nThe advisory was published on 2026-06-11 via GitHub's security advisory system.

Indicators of compromise

Packages
  • swagger-express-routes

Remediation

  • Immediately rotate all secrets, API keys, and credentials from a clean, uncompromised computer
  • Remove the swagger-express-routes package from all affected systems
  • Audit system logs and network traffic for signs of unauthorized access or data exfiltration
  • Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if critical infrastructure
  • Check for any other suspicious packages or modifications on affected systems

Sources

  1. GitHub Advisory GHSA-49jc-pgvv-m729 · GitHub Advisory Database

Cite this entry

"Malware in swagger-express-routes." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 11, 2026; last updated June 11, 2026. https://supplychainattack.org/incident/malware-in-swagger-express-routes-b5voe7

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. containedcritical

    Malware in janus-flow

    Malware was discovered in the npm package janus-flow, resulting in full system compromise of any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.

    npmCompromised package
  2. containedcritical

    Malware in flow-lending-sdk

    Malware was discovered in the npm package flow-lending-sdk. Systems with this package installed or running are considered fully compromised, with potential for complete system takeover.

    npmCompromised package
  3. activecritical

    Malware in auth-basic-vault

    Malware discovered in the npm package auth-basic-vault. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package
  4. containedcritical

    Malware in ttspc-server-sample

    The npm package ttspc-server-sample contains malware that grants full control of affected systems. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package