Malware in @tenforce/toolbox-fontmap
Malware was discovered in the npm package @tenforce/toolbox-fontmap, resulting in full system compromise for any computer with the package installed or running. The advisory recommends immediate removal of the package and rotation of all secrets and keys from a different computer.
- Disclosed
- Last updated
- Blast radius
- Any system with the package installed or running
- Ecosystems
- Attack vectors
- Affected entities
- @tenforce/toolbox-fontmap
A critical malware incident was identified in the npm package @tenforce/toolbox-fontmap. According to the GitHub Security Advisory (GHSA-4pgr-qgvj-c2wh), any computer that has this package installed or running should be considered fully compromised.\n\nThe advisory indicates that all secrets and keys stored on affected computers should be rotated immediately from a different, uncompromised system. While the package should be removed, the advisory notes that full control of the computer may have been given to an outside entity, meaning there is no guarantee that removing the package alone will eliminate all malicious software resulting from the installation.\n\nThis represents a supply chain attack through a compromised npm package with severe impact on system integrity and security posture.
Indicators of compromise
- Packages
- @tenforce/toolbox-fontmap
Remediation
- Remove the @tenforce/toolbox-fontmap package immediately
- Rotate all secrets, keys, and credentials from a different, uncompromised computer
- Assume full system compromise and conduct a thorough security audit
- Consider the affected system potentially compromised beyond package removal
- Review system logs and network activity for signs of unauthorized access or data exfiltration
Sources
- GitHub Advisory GHSA-4pgr-qgvj-c2wh · GitHub Advisory Database
Cite this entry
"Malware in @tenforce/toolbox-fontmap." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 11, 2026; last updated June 11, 2026. https://supplychainattack.org/incident/malware-in-tenforce-toolbox-fontmap-11v79h
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- containedhigh
Microsoft links Mastra AI supply chain attack to North Korean hackers
Microsoft attributed a Mastra AI supply chain attack that compromised over 140 npm packages to North Korean hacking group Sapphire Sleet (BlueNoroff). The attack targeted the npm ecosystem and AI development infrastructure.
UNC1069npmAI agents & skillsCompromised packageMalicious maintainer - containedcritical
Malware in pretty-logger-js
Malware was discovered in the npm package pretty-logger-js. Systems with this package installed or running should be considered fully compromised, with all secrets and keys requiring immediate rotation from a different computer.
npmCompromised package - containedcritical
Malware in ts-esys
Malware was discovered in the npm package ts-esys. Systems with this package installed or running are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in ts-ecro-helper
Malware was discovered in the npm package ts-ecro-helper. Systems with this package installed are considered fully compromised and require immediate remediation including secret rotation and package removal.
npmCompromised package