Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Malware in xnder-sdk

Malware was discovered in the npm package xnder-sdk, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a different computer.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with xnder-sdk installed or running
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • xnder-sdk

The npm package xnder-sdk was found to contain malware. According to the GitHub Advisory (GHSA-5vr8-6v9x-3vxm), any computer with this package installed or running should be considered fully compromised.\n\nThe advisory warns that all secrets and keys stored on affected computers should be rotated immediately from a different, unaffected system. While the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the initial compromise.\n\nThis represents a critical supply chain attack through a compromised package in the npm ecosystem."

Indicators of compromise

Packages
  • xnder-sdk

Remediation

  • Immediately remove the xnder-sdk package from all systems
  • Rotate all secrets, API keys, and credentials from a different, unaffected computer
  • Audit system logs for unauthorized access or activity during the period the package was installed
  • Consider the affected system(s) as potentially fully compromised and plan for forensic analysis or reimaging
  • Check for any other suspicious packages or modifications that may have been introduced

Sources

  1. GitHub Advisory GHSA-5vr8-6v9x-3vxm · GitHub Advisory Database

Cite this entry

"Malware in xnder-sdk." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 10, 2026; last updated June 10, 2026. https://supplychainattack.org/incident/malware-in-xnder-sdk-0fzq7b

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    Malware in @meme-sdk/trade

    Malware discovered in the npm package @meme-sdk/trade. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. containedcritical

    Malware in graphbase-js

    Malware was discovered in the npm package graphbase-js. Systems with the package installed or running are considered fully compromised and require immediate remediation.

    npmCompromised package
  3. activecritical

    Malware in @validator-sdk/pubkey

    Malware discovered in the npm package @validator-sdk/pubkey. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package
  4. containedcritical

    Malware in @validate-ethereum-address/core

    The npm package @validate-ethereum-address/core was found to contain malware, potentially giving attackers full control of affected systems. Any computer with this package installed should be considered fully compromised.

    npmCompromised package