Malware in uipath-sugar-sell
Malware discovered in the npm package uipath-sugar-sell. Systems with this package installed are considered fully compromised and may have given outside entities full control.
- Disclosed
- Last updated
- Blast radius
- Any system with the package installed or running
- Ecosystems
- Attack vectors
- Affected entities
- uipath-sugar-sell
A malicious npm package named uipath-sugar-sell has been identified and published to the npm registry. The package contains malware that compromises any system on which it is installed or executed.\n\nAccording to the GitHub Advisory (GHSA-xc4q-c25v-qv6v), any computer running this package should be considered fully compromised. The advisory recommends immediate rotation of all secrets and keys from a different, uncompromised computer.\n\nWhile removal of the package is advised, there is no guarantee that uninstalling it will remove all malicious artifacts, as the attacker may have gained full control of the affected system during execution.\n\nUsers should treat any system that installed or ran this package as potentially fully compromised and take appropriate incident response measures.
Indicators of compromise
- Packages
- uipath-sugar-sell
Remediation
- Immediately isolate any system that installed or ran uipath-sugar-sell from the network
- Rotate all secrets, API keys, credentials, and tokens from a clean, uncompromised computer
- Remove the uipath-sugar-sell package from all systems
- Conduct a full forensic investigation of affected systems to identify any additional malicious artifacts or persistence mechanisms
- Review system logs and network traffic for indicators of compromise or data exfiltration
- Consider full system reimaging if the package was installed on production or sensitive systems
- Audit npm dependencies across your organization to identify any other installations of this package
Sources
- GitHub Advisory GHSA-xc4q-c25v-qv6v · GitHub Advisory Database
Cite this entry
"Malware in uipath-sugar-sell." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 29, 2026; last updated June 29, 2026. https://supplychainattack.org/incident/malware-in-uipath-sugar-sell-nweaec
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in @contentprod-authoring/block-manager
Malware was discovered in the npm package @contentprod-authoring/block-manager. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @webda-infra/search
Malware was discovered in the npm package @webda-infra/search. Systems with this package installed or running should be considered fully compromised and require immediate remediation.
npmCompromised package - containedcritical
Malware in @citi-icg-171632/citicms-repo-component
The npm package @citi-icg-171632/citicms-repo-component contained malware that provided full system compromise to attackers. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated immediately.
npmCompromised package - activecritical
Malware in @bscom/styling
The npm package @bscom/styling contains malware that grants full control of affected systems. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package