{"name":"supplychainattack.org","description":"A neutral, comprehensive public reference of confirmed software, hardware, and vendor supply chain attacks. Each entry is backed by at least one credible public advisory.","license":"Catalog data is free to cite with attribution to supplychainattack.org.","revised":"2026-06-09","count":174,"incidents":[{"id":"malware-in-doaction-storage-k8m4uz","url":"https://supplychainattack.org/incident/malware-in-doaction-storage-k8m4uz","title":"Malware in @doaction/storage","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/storage"}],"summary":"Malware was discovered in the npm package @doaction/storage. Systems with this package installed are considered fully compromised and require immediate remediation including credential rotation and package removal.","iocs":{"packages":["@doaction/storage"]},"remediation":["Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the @doaction/storage package from all affected systems","Conduct a full security audit of any system that had this package installed","Monitor affected systems for signs of unauthorized access or persistence mechanisms","Consider rebuilding or reimaging systems that had this package installed, as removal alone may not eliminate all malicious artifacts"],"sources":[{"url":"https://github.com/advisories/GHSA-v89r-6g3x-gjjv","title":"GitHub Advisory GHSA-v89r-6g3x-gjjv","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-path-extend-rr7j7r","url":"https://supplychainattack.org/incident/malware-in-path-extend-rr7j7r","title":"Malware in path-extend","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"path-extend"}],"summary":"The npm package path-extend contains malware that grants full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised and all secrets and keys should be rotated immediately from a different computer.","iocs":{"packages":["path-extend"]},"remediation":["Immediately isolate any computer that has path-extend installed or running from the network","Rotate all secrets, API keys, credentials, and passwords from a different, uncompromised computer","Remove the path-extend package from all systems","Conduct a full forensic investigation of affected systems to identify any additional malware or persistence mechanisms","Review all access logs and audit trails for suspicious activity on affected systems","Consider the affected systems as potentially fully compromised and plan for complete rebuild if critical systems are involved"],"sources":[{"url":"https://github.com/advisories/GHSA-qvmc-2hcj-8h4f","title":"GitHub Advisory GHSA-qvmc-2hcj-8h4f","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-os-ulid-void-10ynpz","url":"https://supplychainattack.org/incident/malware-in-os-ulid-void-10ynpz","title":"Malware in os-ulid-void","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"os-ulid-void"}],"summary":"The npm package os-ulid-void was found to contain malware, potentially providing full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.","iocs":{"packages":["os-ulid-void"]},"remediation":["Immediately isolate any computer that has os-ulid-void installed or running from the network","Rotate all secrets, API keys, credentials, and signing keys from a different, uncompromised computer","Remove the os-ulid-void package from all systems","Perform a full security audit and malware scan on affected systems","Review system logs and access logs for any unauthorized activity during the period the package was installed","Consider full system reimaging if full compromise is suspected"],"sources":[{"url":"https://github.com/advisories/GHSA-7fhf-p3wv-2xrc","title":"GitHub Advisory GHSA-7fhf-p3wv-2xrc","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-kecak256-yk01ec","url":"https://supplychainattack.org/incident/malware-in-kecak256-yk01ec","title":"Malware in kecak256","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"kecak256"}],"summary":"The npm package kecak256 was compromised and contains malware. Any computer with this package installed or running should be considered fully compromised.","iocs":{"packages":["kecak256"]},"remediation":["Immediately isolate any computer with kecak256 installed or running from the network","Rotate all secrets, keys, and credentials from a different, uncompromised computer","Remove the kecak256 package from all affected systems","Conduct a full security audit and malware scan of affected systems","Review access logs and monitor for unauthorized activity on systems that had the package installed","Consider the affected systems as potentially fully compromised and plan for complete rebuild if critical systems are involved"],"sources":[{"url":"https://github.com/advisories/GHSA-4vrf-wcrh-g5j5","title":"GitHub Advisory GHSA-4vrf-wcrh-g5j5","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-progerss-cli-1bk4x1","url":"https://supplychainattack.org/incident/malware-in-progerss-cli-1bk4x1","title":"Malware in progerss-cli","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with progerss-cli installed or running","affectedEntities":[{"name":"progerss-cli"}],"summary":"Malware discovered in the npm package progerss-cli. Systems with this package installed are considered fully compromised and require immediate remediation.","iocs":{"packages":["progerss-cli"]},"remediation":["Immediately isolate affected systems from the network","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the progerss-cli package","Perform a full security audit and malware scan of affected systems","Consider full system reimaging if full compromise is suspected","Review system logs and access logs for signs of unauthorized activity"],"sources":[{"url":"https://github.com/advisories/GHSA-pr99-g8pf-f3rr","title":"GitHub Advisory GHSA-pr99-g8pf-f3rr","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-enquriers-c5pm9e","url":"https://supplychainattack.org/incident/malware-in-enquriers-c5pm9e","title":"Malware in enquriers","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"enquriers","note":"npm package containing malware"}],"summary":"The npm package enquriers was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.","iocs":{"packages":["enquriers"]},"remediation":["Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the enquriers package from all affected systems","Conduct a full security audit and forensic analysis of any system that had the package installed","Monitor affected systems for signs of persistent malware or unauthorized access","Consider rebuilding affected systems from clean media if full compromise is suspected"],"sources":[{"url":"https://github.com/advisories/GHSA-c8vc-qqjp-wg87","title":"GitHub Advisory GHSA-c8vc-qqjp-wg87","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-clsx-js-v29yur","url":"https://supplychainattack.org/incident/malware-in-clsx-js-v29yur","title":"Malware in clsx-js","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with clsx-js installed or running","affectedEntities":[{"name":"clsx-js","note":"npm package"}],"summary":"Malware discovered in the npm package clsx-js. Systems with this package installed are considered fully compromised and require immediate remediation.","iocs":{"packages":["clsx-js"]},"remediation":["Immediately rotate all secrets, keys, and credentials from a different, uncompromised computer","Remove the clsx-js package from all affected systems","Conduct a full security audit and malware scan of all systems that had clsx-js installed","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider full system reimaging if compromise is confirmed"],"sources":[{"url":"https://github.com/advisories/GHSA-8jmh-pvvx-wjrf","title":"GitHub Advisory GHSA-8jmh-pvvx-wjrf","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-xorma-js-rj0epf","url":"https://supplychainattack.org/incident/malware-in-xorma-js-rj0epf","title":"Malware in xorma-js","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with xorma-js installed or running","affectedEntities":[{"name":"xorma-js"}],"summary":"Malware was discovered in the npm package xorma-js, resulting in full system compromise of any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.","iocs":{"packages":["xorma-js"]},"remediation":["Immediately rotate all secrets and keys stored on affected computers from a different, uncompromised computer","Remove the xorma-js package from all systems","Conduct a full security audit and forensic analysis of any system that had xorma-js installed","Monitor affected systems for signs of unauthorized access or persistence mechanisms","Consider rebuilding affected systems from clean media if full compromise is suspected"],"sources":[{"url":"https://github.com/advisories/GHSA-h7mc-23rp-vpj6","title":"GitHub Advisory GHSA-h7mc-23rp-vpj6","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-types-tizsj5","url":"https://supplychainattack.org/incident/malware-in-doaction-types-tizsj5","title":"Malware in @doaction/types","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/types"}],"summary":"Malware was discovered in the npm package @doaction/types. Systems with this package installed are considered fully compromised and require immediate remediation.","iocs":{"packages":["@doaction/types"]},"remediation":["Immediately remove the @doaction/types package from all systems","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Assume full system compromise and conduct forensic analysis","Monitor affected systems for signs of unauthorized access or persistence mechanisms","Consider rebuilding or reimaging affected systems if possible","Review system logs for any suspicious activity during the period the package was installed"],"sources":[{"url":"https://github.com/advisories/GHSA-m5q9-qwgm-wvqx","title":"GitHub Advisory GHSA-m5q9-qwgm-wvqx","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-wasm-loader-1r883x","url":"https://supplychainattack.org/incident/malware-in-doaction-wasm-loader-1r883x","title":"Malware in @doaction/wasm-loader","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/wasm-loader"}],"summary":"Malware was discovered in the npm package @doaction/wasm-loader. Systems with this package installed or running are considered fully compromised, with potential for complete system takeover.","iocs":{"packages":["@doaction/wasm-loader"]},"remediation":["Immediately isolate any system with @doaction/wasm-loader installed from the network","Rotate all secrets, API keys, and credentials from a different, unaffected computer","Remove the @doaction/wasm-loader package from all systems","Conduct a full security audit of affected systems for additional malware or persistence mechanisms","Consider complete system rebuild or forensic analysis if the package was installed on production or sensitive systems","Review access logs and audit trails for any unauthorized activity during the period the package was installed"],"sources":[{"url":"https://github.com/advisories/GHSA-54mr-v524-rmw6","title":"GitHub Advisory GHSA-54mr-v524-rmw6","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-sudo-prompt-1by6ag","url":"https://supplychainattack.org/incident/malware-in-doaction-sudo-prompt-1by6ag","title":"Malware in @doaction/sudo-prompt","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/sudo-prompt"}],"summary":"Malware was discovered in the npm package @doaction/sudo-prompt. Systems with this package installed or running are considered fully compromised and require immediate remediation.","iocs":{"packages":["@doaction/sudo-prompt"]},"remediation":["Immediately isolate any computer with @doaction/sudo-prompt installed from the network","Rotate all secrets, API keys, credentials, and cryptographic keys from a different, uncompromised computer","Remove the @doaction/sudo-prompt package from all affected systems","Perform a full security audit and malware scan of affected systems","Review system logs and access logs for signs of unauthorized activity during the period the package was installed","Consider full system reimaging if the package was installed on systems with elevated privileges or access to sensitive data"],"sources":[{"url":"https://github.com/advisories/GHSA-f9qh-hqgp-pgvc","title":"GitHub Advisory GHSA-f9qh-hqgp-pgvc","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-systeminformation-114h9t","url":"https://supplychainattack.org/incident/malware-in-doaction-systeminformation-114h9t","title":"Malware in @doaction/systeminformation","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/systeminformation"}],"summary":"The npm package @doaction/systeminformation contained malware that grants full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.","iocs":{"packages":["@doaction/systeminformation"]},"remediation":["Immediately isolate any computer that has installed or run @doaction/systeminformation from the network","Rotate all secrets, API keys, credentials, and signing keys from a different, uncompromised computer","Remove the @doaction/systeminformation package from all systems","Perform a full security audit and malware scan on affected systems","Review system logs and access patterns for signs of unauthorized activity during the period the package was installed","Consider full system reimaging if the package was installed on critical infrastructure or systems with access to sensitive data"],"sources":[{"url":"https://github.com/advisories/GHSA-xj3m-q8rc-3f5j","title":"GitHub Advisory GHSA-xj3m-q8rc-3f5j","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-signalhub-17mzjx","url":"https://supplychainattack.org/incident/malware-in-doaction-signalhub-17mzjx","title":"Malware in @doaction/signalhub","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/signalhub"}],"summary":"Malware was discovered in the npm package @doaction/signalhub. Systems with this package installed or running should be considered fully compromised, with all secrets and keys requiring immediate rotation from a different computer.","iocs":{"packages":["@doaction/signalhub"]},"remediation":["Immediately rotate all secrets and keys from a different, uncompromised computer","Remove the @doaction/signalhub package from all affected systems","Conduct a full security audit of any system that had this package installed","Monitor affected systems for signs of unauthorized access or persistence mechanisms","Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if critical infrastructure"],"sources":[{"url":"https://github.com/advisories/GHSA-gq53-mvg2-fxjf","title":"GitHub Advisory GHSA-gq53-mvg2-fxjf","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-comos-sdk-15vzh4","url":"https://supplychainattack.org/incident/malware-in-comos-sdk-15vzh4","title":"Malware in comos-sdk","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with comos-sdk installed or running","affectedEntities":[{"name":"comos-sdk"}],"summary":"Malware was discovered in the npm package comos-sdk, resulting in full system compromise for any installation. The package should be removed and all secrets and keys rotated from a clean system.","iocs":{"packages":["comos-sdk"]},"remediation":["Immediately remove the comos-sdk package from all systems","Rotate all secrets, keys, and credentials from a clean, uncompromised computer","Assume full system compromise and conduct forensic analysis","Monitor affected systems for signs of persistent malware or unauthorized access","Review system logs for any suspicious activity during the period comos-sdk was installed"],"sources":[{"url":"https://github.com/advisories/GHSA-xr7v-2mxc-cw5x","title":"GitHub Advisory GHSA-xr7v-2mxc-cw5x","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-ui-weave-z42akj","url":"https://supplychainattack.org/incident/malware-in-ui-weave-z42akj","title":"Malware in ui-weave","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with ui-weave installed or running","affectedEntities":[{"name":"ui-weave"}],"summary":"Malware was discovered in the npm package ui-weave, resulting in full system compromise of any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.","iocs":{"packages":["ui-weave"]},"remediation":["Immediately rotate all secrets and keys from a different, uncompromised computer","Remove the ui-weave package from all affected systems","Conduct a full security audit of any system that had ui-weave installed","Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if critical systems are involved","Check for any unauthorized access or lateral movement from affected systems"],"sources":[{"url":"https://github.com/advisories/GHSA-x2w5-px4q-j9wq","title":"GitHub Advisory GHSA-x2w5-px4q-j9wq","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-buffer-utilities-hmqvb8","url":"https://supplychainattack.org/incident/malware-in-buffer-utilities-hmqvb8","title":"Malware in buffer-utilities","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with buffer-utilities installed or running","affectedEntities":[{"name":"buffer-utilities"}],"summary":"Malware was discovered in the npm package buffer-utilities, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a clean system.","iocs":{"packages":["buffer-utilities"]},"remediation":["Remove the buffer-utilities package immediately from all systems","Rotate all secrets, API keys, and credentials from a clean, uncompromised computer","Perform a full security audit and malware scan of all affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider the affected systems as potentially fully compromised and plan for complete rebuild if critical infrastructure"],"sources":[{"url":"https://github.com/advisories/GHSA-67mv-3xg7-3726","title":"GitHub Advisory GHSA-67mv-3xg7-3726","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-transacts-15tbet","url":"https://supplychainattack.org/incident/malware-in-transacts-15tbet","title":"Malware in transacts","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"transacts","note":"npm package containing malware"}],"summary":"The npm package transacts was found to contain malware, resulting in full system compromise of any computer with the package installed or running. All secrets and keys should be rotated immediately from a different computer, and the package should be removed.","iocs":{"packages":["transacts"]},"remediation":["Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the transacts package from all affected systems","Conduct a full security audit and forensic analysis of any system that had the package installed or running","Monitor affected systems for signs of persistent malware or unauthorized access","Consider rebuilding affected systems from clean media if full compromise is suspected"],"sources":[{"url":"https://github.com/advisories/GHSA-r8v2-q2r3-ghm6","title":"GitHub Advisory GHSA-r8v2-q2r3-ghm6","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-shared-17i56l","url":"https://supplychainattack.org/incident/malware-in-doaction-shared-17i56l","title":"Malware in @doaction/shared","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/shared"}],"summary":"Malware was discovered in the npm package @doaction/shared. Systems with this package installed are considered fully compromised and require immediate remediation.","iocs":{"packages":["@doaction/shared"]},"remediation":["Immediately isolate any system with @doaction/shared installed from the network","Remove the @doaction/shared package from all affected systems","Rotate all secrets, API keys, and credentials from a clean, uncompromised computer","Perform a full security audit and malware scan of affected systems","Review system logs and access logs for signs of unauthorized activity during the period the package was installed","Consider full system reimaging if compromise is suspected","Notify all users and stakeholders of potential exposure"],"sources":[{"url":"https://github.com/advisories/GHSA-5784-q7wq-ch43","title":"GitHub Advisory GHSA-5784-q7wq-ch43","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-auth-d1ae9f","url":"https://supplychainattack.org/incident/malware-in-doaction-auth-d1ae9f","title":"Malware in @doaction/auth","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/auth"}],"summary":"Malware discovered in the npm package @doaction/auth. Systems with this package installed are considered fully compromised and require immediate remediation.","iocs":{"packages":["@doaction/auth"]},"remediation":["Immediately remove the @doaction/auth package from all systems","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Assume full system compromise and perform forensic analysis or complete system rebuild","Review access logs and audit trails for any unauthorized activity","Monitor for signs of persistence mechanisms or additional malware","Notify any systems or services that may have been accessed using credentials from affected machines"],"sources":[{"url":"https://github.com/advisories/GHSA-5cwj-c46v-mpmf","title":"GitHub Advisory GHSA-5cwj-c46v-mpmf","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-example-1uxpus","url":"https://supplychainattack.org/incident/malware-in-doaction-example-1uxpus","title":"Malware in @doaction/example","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/example"}],"summary":"The npm package @doaction/example contains malware that grants full control of affected systems to an outside entity. Any computer with this package installed or running should be considered fully compromised.","iocs":{"packages":["@doaction/example"]},"remediation":["Immediately isolate any computer that has @doaction/example installed or running from the network","Rotate all secrets, API keys, and credentials stored on affected systems from a different, uncompromised computer","Remove the @doaction/example package from all affected systems","Conduct a full security audit and malware scan of affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider full system reimaging if the compromise is suspected to be severe"],"sources":[{"url":"https://github.com/advisories/GHSA-w4g4-r5qj-rj58","title":"GitHub Advisory GHSA-w4g4-r5qj-rj58","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-eventemitter-l82ywq","url":"https://supplychainattack.org/incident/malware-in-doaction-eventemitter-l82ywq","title":"Malware in @doaction/eventemitter","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/eventemitter"}],"summary":"Malware was discovered in the npm package @doaction/eventemitter. Systems with this package installed or running are considered fully compromised and require immediate remediation.","iocs":{"packages":["@doaction/eventemitter"]},"remediation":["Immediately remove the @doaction/eventemitter package from all systems","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Assume full system compromise and perform forensic analysis or complete system rebuild","Audit all systems for signs of unauthorized access or persistence mechanisms","Monitor for any suspicious activity on systems that previously had this package installed"],"sources":[{"url":"https://github.com/advisories/GHSA-926j-qqmq-889c","title":"GitHub Advisory GHSA-926j-qqmq-889c","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-http-6a47jx","url":"https://supplychainattack.org/incident/malware-in-doaction-http-6a47jx","title":"Malware in @doaction/http","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/http"}],"summary":"Malware was discovered in the npm package @doaction/http. Systems with this package installed or running are considered fully compromised, with potential for complete system takeover.","iocs":{"packages":["@doaction/http"]},"remediation":["Immediately isolate any system that has @doaction/http installed or running","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the @doaction/http package from all affected systems","Conduct a full security audit and malware scan of affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider full system reimaging if complete compromise is suspected"],"sources":[{"url":"https://github.com/advisories/GHSA-cpf3-vrxh-mv98","title":"GitHub Advisory GHSA-cpf3-vrxh-mv98","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-mapstore-yfr6o1","url":"https://supplychainattack.org/incident/malware-in-doaction-mapstore-yfr6o1","title":"Malware in @doaction/mapstore","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/mapstore"}],"summary":"The npm package @doaction/mapstore contains malware that grants full control of affected systems. Any computer with this package installed or running should be considered fully compromised.","iocs":{"packages":["@doaction/mapstore"]},"remediation":["Immediately isolate any system that has installed or run @doaction/mapstore from the network","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the @doaction/mapstore package from all systems","Conduct a full security audit and malware scan of affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider full system reimaging if the package was installed on production or sensitive systems"],"sources":[{"url":"https://github.com/advisories/GHSA-6mxf-8m2v-f345","title":"GitHub Advisory GHSA-6mxf-8m2v-f345","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-pay-h76xyd","url":"https://supplychainattack.org/incident/malware-in-doaction-pay-h76xyd","title":"Malware in @doaction/pay","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/pay"}],"summary":"Malware was discovered in the npm package @doaction/pay. Systems with this package installed or running should be considered fully compromised and require immediate remediation.","iocs":{"packages":["@doaction/pay"]},"remediation":["Immediately rotate all secrets, keys, and credentials from a different, uncompromised computer","Remove the @doaction/pay package from all affected systems","Conduct a full security audit of any system that had this package installed","Monitor affected systems for signs of persistent compromise or backdoors","Review and revoke any API keys, tokens, or credentials that may have been exposed","Consider full system reimaging if the package was installed on production or sensitive systems"],"sources":[{"url":"https://github.com/advisories/GHSA-55rv-c39c-944m","title":"GitHub Advisory GHSA-55rv-c39c-944m","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-examples-12yxdn","url":"https://supplychainattack.org/incident/malware-in-doaction-examples-12yxdn","title":"Malware in @doaction/examples","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/examples"}],"summary":"Malware was discovered in the npm package @doaction/examples. Systems with this package installed or running should be considered fully compromised, with all secrets and keys requiring immediate rotation from a different computer.","iocs":{"packages":["@doaction/examples"]},"remediation":["Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the @doaction/examples package from all affected systems","Conduct a full security audit of any system that had this package installed","Monitor affected systems for signs of unauthorized access or persistence mechanisms","Consider rebuilding or reimaging systems that had this package installed, as removal alone may not eliminate all malicious artifacts"],"sources":[{"url":"https://github.com/advisories/GHSA-3hg6-5qgp-v676","title":"GitHub Advisory GHSA-3hg6-5qgp-v676","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-doaction-rrweb-sdk-ueo0qf","url":"https://supplychainattack.org/incident/malware-in-doaction-rrweb-sdk-ueo0qf","title":"Malware in @doaction/rrweb-sdk","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"@doaction/rrweb-sdk"}],"summary":"Malware was discovered in the npm package @doaction/rrweb-sdk. Systems with this package installed or running are considered fully compromised and may have given outside entities full control of the computer.","iocs":{"packages":["@doaction/rrweb-sdk"]},"remediation":["Immediately remove the @doaction/rrweb-sdk package from all systems","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Perform a full security audit and malware scan of any affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider the affected systems as potentially fully compromised and plan for complete reimaging if critical systems are involved","Monitor for any indicators of compromise or persistence mechanisms left by the malware"],"sources":[{"url":"https://github.com/advisories/GHSA-j6f2-qf2j-5mh5","title":"GitHub Advisory GHSA-j6f2-qf2j-5mh5","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-dbmux-13zxox","url":"https://supplychainattack.org/incident/malware-in-dbmux-13zxox","title":"Malware in dbmux","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with dbmux installed or running is considered fully compromised; all secrets and keys must be rotated.","affectedEntities":[{"name":"dbmux","note":"npm package"}],"summary":"Malware was discovered in the npm package dbmux. Any computer with this package installed or running should be considered fully compromised, requiring immediate rotation of all secrets and keys from a different system.","iocs":{"packages":["dbmux"]},"remediation":["Immediately rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the dbmux package from all affected systems","Audit system logs for unauthorized access or activity during the period the malicious package was installed","Consider the affected computer(s) as potentially fully compromised and plan for forensic analysis or reimaging","Check for any additional malicious software that may have been installed alongside the compromised package"],"sources":[{"url":"https://github.com/advisories/GHSA-62wx-5f55-w8g2","title":"GitHub Advisory GHSA-62wx-5f55-w8g2","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-github-archiver-186s6f","url":"https://supplychainattack.org/incident/malware-in-github-archiver-186s6f","title":"Malware in github-archiver","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed","affectedEntities":[{"name":"github-archiver","note":"npm package"}],"summary":"The npm package github-archiver was found to contain malware. Systems with this package installed are considered fully compromised and require immediate remediation.","iocs":{"packages":["github-archiver"]},"remediation":["Immediately isolate any system with github-archiver installed from the network","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the github-archiver package from all affected systems","Perform a full security audit and malware scan of affected systems","Review system logs and access logs for signs of unauthorized activity during the period the package was installed","Consider full system rebuild if the package was installed on systems with access to sensitive infrastructure or data"],"sources":[{"url":"https://github.com/advisories/GHSA-r6pp-cq9f-9j94","title":"GitHub Advisory GHSA-r6pp-cq9f-9j94","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-void-ulid-c62spx","url":"https://supplychainattack.org/incident/malware-in-void-ulid-c62spx","title":"Malware in void-ulid","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with void-ulid installed or running","affectedEntities":[{"name":"void-ulid"}],"summary":"Malware was discovered in the npm package void-ulid, resulting in full system compromise for any computer with the package installed or running. All affected systems should be considered fully compromised and all secrets and keys rotated immediately from a different computer.","iocs":{"packages":["void-ulid"]},"remediation":["Immediately rotate all secrets and keys from a different, unaffected computer","Remove the void-ulid package from all affected systems","Conduct a full security audit of any system that had void-ulid installed","Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if possible","Check for any unauthorized access or lateral movement from affected systems"],"sources":[{"url":"https://github.com/advisories/GHSA-3697-j84m-hx3g","title":"GitHub Advisory GHSA-3697-j84m-hx3g","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cookie-parser-legacy-pfpurb","url":"https://supplychainattack.org/incident/malware-in-cookie-parser-legacy-pfpurb","title":"Malware in cookie-parser-legacy","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"cookie-parser-legacy","note":"npm package containing malware"}],"summary":"Malware was discovered in the npm package cookie-parser-legacy. Systems with this package installed are considered fully compromised and require immediate remediation including secret rotation and package removal.","iocs":{"packages":["cookie-parser-legacy"]},"remediation":["Immediately isolate any system with cookie-parser-legacy installed from the network","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the cookie-parser-legacy package from all affected systems","Conduct a full security audit and malware scan of affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider the affected systems as potentially fully compromised and plan for complete rebuild if critical systems are involved"],"sources":[{"url":"https://github.com/advisories/GHSA-xv3p-wcmf-6hp8","title":"GitHub Advisory GHSA-xv3p-wcmf-6hp8","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-moustick-1sec7l","url":"https://supplychainattack.org/incident/malware-in-moustick-1sec7l","title":"Malware in moustick","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-09","lastUpdated":"2026-06-09","blastRadius":"Any system with moustick installed or running","affectedEntities":[{"name":"moustick"}],"summary":"Malware was discovered in the npm package moustick, resulting in full system compromise for any installation. The package should be removed immediately and all secrets and keys rotated from a different computer.","iocs":{"packages":["moustick"]},"remediation":["Immediately remove the moustick package from all systems","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Assume full system compromise and conduct forensic analysis","Monitor affected systems for signs of persistent malware or backdoors","Review system logs for unauthorized access or modifications during the period the package was installed"],"sources":[{"url":"https://github.com/advisories/GHSA-979m-vm48-369f","title":"GitHub Advisory GHSA-979m-vm48-369f","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-classwind-utils-1vnpov","url":"https://supplychainattack.org/incident/malware-in-classwind-utils-1vnpov","title":"Malware in classwind-utils","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-08","lastUpdated":"2026-06-08","blastRadius":"Any system with the package installed or running","affectedEntities":[{"name":"classwind-utils","note":"npm package containing malware"}],"summary":"Malware was discovered in the npm package classwind-utils. Systems with this package installed or running are considered fully compromised and require immediate remediation.","iocs":{"packages":["classwind-utils"]},"remediation":["Immediately rotate all secrets and keys from a different, uncompromised computer","Remove the classwind-utils package from all affected systems","Conduct a full security audit of any system that had this package installed","Monitor affected systems for signs of persistent compromise or lateral movement","Review and revoke any credentials or access tokens that may have been exposed"],"sources":[{"url":"https://github.com/advisories/GHSA-ghrw-2645-5c47","title":"GitHub Advisory GHSA-ghrw-2645-5c47","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-nodemon-lint-56ar03","url":"https://supplychainattack.org/incident/malware-in-nodemon-lint-56ar03","title":"Malware in nodemon-lint","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-08","lastUpdated":"2026-06-08","blastRadius":"Any system with nodemon-lint installed or executed","affectedEntities":[{"name":"nodemon-lint","note":"Malware-containing package on npm"}],"summary":"The npm package nodemon-lint contains malware that grants full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised and all secrets and keys rotated immediately from a different machine.","iocs":{"packages":["nodemon-lint"]},"remediation":["Immediately isolate affected systems from the network","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the nodemon-lint package from all affected systems","Perform a full security audit and malware scan of affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider full system reimaging if the system contained sensitive data or had privileged access"],"sources":[{"url":"https://github.com/advisories/GHSA-cjg8-jrqm-2q9r","title":"GitHub Advisory GHSA-cjg8-jrqm-2q9r","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-regexp-ts-t1lg1y","url":"https://supplychainattack.org/incident/malware-in-regexp-ts-t1lg1y","title":"Malware in regexp-ts","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-08","lastUpdated":"2026-06-08","blastRadius":"Any system with regexp-ts installed or running","affectedEntities":[{"name":"regexp-ts"}],"summary":"The npm package regexp-ts contains malware that provides full system compromise to attackers. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated immediately from a different machine.","iocs":{"packages":["regexp-ts"]},"remediation":["Immediately isolate any computer with regexp-ts installed from the network","Rotate all secrets, API keys, and credentials from a different, uncompromised computer","Remove the regexp-ts package from all affected systems","Conduct a full forensic investigation and malware scan of affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider full system reimaging if the compromise is confirmed to be widespread"],"sources":[{"url":"https://github.com/advisories/GHSA-5p9w-932r-cr5f","title":"GitHub Advisory GHSA-5p9w-932r-cr5f","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-chai-mocks-bw7o1x","url":"https://supplychainattack.org/incident/malware-in-chai-mocks-bw7o1x","title":"Malware in chai-mocks","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-08","lastUpdated":"2026-06-08","blastRadius":"Any system with chai-mocks installed or running","affectedEntities":[{"name":"chai-mocks","note":"npm package"}],"summary":"Malware discovered in the npm package chai-mocks. Systems with this package installed are considered fully compromised and require immediate remediation including secret rotation and package removal.","iocs":{"packages":["chai-mocks"]},"remediation":["Immediately rotate all secrets and keys from a different, uncompromised computer","Remove the chai-mocks package from all affected systems","Conduct a full security audit of any system that had chai-mocks installed","Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if critical","Review access logs and monitor for unauthorized activity on affected systems"],"sources":[{"url":"https://github.com/advisories/GHSA-5wqh-hxqx-c6j3","title":"GitHub Advisory GHSA-5wqh-hxqx-c6j3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-nodemon-copack-g68tnq","url":"https://supplychainattack.org/incident/malware-in-nodemon-copack-g68tnq","title":"Malware in nodemon-copack","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-08","lastUpdated":"2026-06-08","blastRadius":"Any system with nodemon-copack installed or executed","affectedEntities":[{"name":"nodemon-copack","note":"Malicious npm package"}],"summary":"The npm package nodemon-copack contained malware that grants full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.","iocs":{"packages":["nodemon-copack"]},"remediation":["Immediately isolate any computer that has nodemon-copack installed or has executed it","Rotate all secrets, API keys, credentials, and signing keys from a different, uncompromised computer","Remove the nodemon-copack package from all systems","Perform a full forensic analysis and malware scan on affected systems","Review system logs and network traffic for signs of unauthorized access or data exfiltration","Consider full system rebuild if sensitive data or systems were compromised"],"sources":[{"url":"https://github.com/advisories/GHSA-pw2c-3h97-j57f","title":"GitHub Advisory GHSA-pw2c-3h97-j57f","publisher":"GitHub Advisory Database"}]},{"id":"the-hades-campaign-graph-ml-pypi-packages-deploy-cross-platform-memory-scrapers-1i5lk3","url":"https://supplychainattack.org/incident/the-hades-campaign-graph-ml-pypi-packages-deploy-cross-platform-memory-scrapers-1i5lk3","title":"The Hades Campaign: Graph ML PyPI Packages Deploy Cross-Platform Memory Scrapers, AI Analyst Misdirection, and a Wiper Deterrent","status":"active","severity":"critical","ecosystems":["pypi"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-08","lastUpdated":"2026-06-08","blastRadius":"Multiple Graph ML packages in the bioinformatics ecosystem; cross-platform impact via memory scrapers","affectedEntities":[{"name":"Graph ML PyPI packages","note":"Multiple packages in the bioinformatics ecosystem compromised in the Hades campaign"}],"summary":"On June 8, 2026, multiple Graph ML PyPI packages were compromised in the Hades campaign, deploying cross-platform memory scrapers, AI prompt injections for analyst misdirection, and token-revocation wipers. The attack targeted the bioinformatics ecosystem with sophisticated evasion techniques.","iocs":{"packages":["Graph ML PyPI packages"]},"remediation":["Immediately audit and revoke any tokens or credentials that may have been exposed through affected Graph ML packages","Scan systems for memory scraper artifacts and indicators of compromise","Review and update all dependencies on Graph ML PyPI packages to patched versions","Implement enhanced monitoring for suspicious memory access patterns and token usage","Conduct forensic analysis to identify the scope of data exfiltration","Apply principle of least privilege to limit impact of future package compromises"],"sources":[{"url":"https://www.stepsecurity.io/blog/the-hades-campaign-pypi-packages","title":"The Hades Campaign: Graph ML PyPI Packages Deploy Cross-Platform Memory Scrapers, AI Analyst Misdirection, and a Wiper Deterrent","publisher":"StepSecurity"}]},{"id":"new-shai-hulud-attack-trojanizes-19-science-focused-pypi-packages-1gf74g","url":"https://supplychainattack.org/incident/new-shai-hulud-attack-trojanizes-19-science-focused-pypi-packages-1gf74g","title":"New Shai-Hulud attack trojanizes 19 science-focused PyPI packages","status":"contained","severity":"high","ecosystems":["pypi"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-08","lastUpdated":"2026-06-08","blastRadius":"Hundreds of thousands of downloads across 19 science-focused PyPI packages","affectedEntities":[{"name":"19 science-focused PyPI packages","note":"Specific package names not provided in source text"}],"summary":"Hackers compromised 19 science-focused packages on PyPI in a Shai-Hulud supply-chain attack. The trojanized packages were collectively downloaded hundreds of thousands of times and delivered malware designed to steal developer secrets.","iocs":null,"remediation":["Identify and audit all installations of the 19 compromised science-focused PyPI packages","Review and rotate any developer secrets, credentials, or API keys that may have been exposed","Monitor systems for signs of malware activity or unauthorized access","Update to patched versions of affected packages once available","Implement package verification and integrity checks in dependency management workflows"],"sources":[{"url":"https://www.bleepingcomputer.com/news/security/new-shai-hulud-attack-trojanizes-19-science-focused-pypi-packages/","title":"New Shai-Hulud attack trojanizes 19 science-focused PyPI packages","publisher":"BleepingComputer"}]},{"id":"miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositorie-rl1iv8","url":"https://supplychainattack.org/incident/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositorie-rl1iv8","title":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents","status":"contained","severity":"critical","ecosystems":["ai-agents"],"attackVectors":["malicious-commit","account-takeover"],"disclosedDate":"2026-06-05","lastUpdated":"2026-06-07","blastRadius":"73 Microsoft GitHub repositories across four organizations disabled; potential exposure to developers using AI coding agents (Claude Code, Gemini CLI, Cursor, VS Code).","affectedEntities":[{"name":"Azure/durabletask","note":"Primary repository targeted with malicious commit planting credential-harvesting payload"},{"name":"Azure Functions Action","note":"Part of 73 disabled repositories"},{"name":"Microsoft GitHub organizations","note":"73 repositories across four Microsoft organizations disabled","versions":[]}],"summary":"On June 5, 2026, the Miasma worm campaign compromised Microsoft's Azure GitHub organizations by pushing a malicious commit to the Azure/durabletask repository using a compromised contributor account. GitHub disabled 73 repositories across four Microsoft organizations after configuration files were planted to harvest credentials when developers opened repositories in AI coding agents like Claude Code, Gemini CLI, Cursor, or VS Code.","iocs":null,"remediation":["Audit all repositories in affected Microsoft GitHub organizations for unauthorized commits and configuration files","Review access logs for the compromised contributor account and revoke credentials","Implement commit signing requirements and enhance branch protection policies","Scan developer machines that may have cloned or interacted with affected repositories","Monitor for credential exfiltration from accounts that accessed the poisoned repositories","Review and update secrets/API keys that may have been harvested","Deploy additional detection for suspicious configuration files in CI/CD workflows"],"sources":[{"url":"https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents","title":"Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Agents","publisher":"StepSecurity"}]},{"id":"miasma-npm-supply-chain-attack-self-spreading-worm-via-phantom-gyp-1b4n1o","url":"https://supplychainattack.org/incident/miasma-npm-supply-chain-attack-self-spreading-worm-via-phantom-gyp-1b4n1o","title":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package","malicious-commit"],"disclosedDate":"2026-06-04","lastUpdated":"2026-06-07","blastRadius":"Multiple npm packages and maintainer accounts compromised; self-spreading mechanism increases exposure across the ecosystem","affectedEntities":[{"name":"Multiple npm packages","note":"Dozens of packages compromised via binding.gyp injection; specific package names not disclosed in source"}],"summary":"A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.","iocs":null,"remediation":["Immediately audit npm packages with native module dependencies (those using binding.gyp)","Review binding.gyp file contents in installed packages for suspicious code","Monitor for unexpected network connections or system modifications post-npm install","Update npm audit tools and security scanners to detect binding.gyp-based attacks","Consider temporary restrictions on packages with binding.gyp dependencies until patched","Review npm account security and enable two-factor authentication on maintainer accounts","Check package integrity and look for recent unauthorized commits or releases"],"sources":[{"url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm","title":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp","publisher":"StepSecurity"}]},{"id":"hola-browser-for-windows-compromised-to-deliver-cryptominer-1smv3g","url":"https://supplychainattack.org/incident/hola-browser-for-windows-compromised-to-deliver-cryptominer-1smv3g","title":"Hola Browser for Windows compromised to deliver cryptominer","status":"contained","severity":"high","ecosystems":["other"],"attackVectors":["compromised-package","update-server-compromise"],"disclosedDate":"2026-06-04","lastUpdated":"2026-06-07","blastRadius":"Windows users of Hola Browser","affectedEntities":[{"name":"Hola Browser","note":"Windows version compromised to deliver cryptominer"}],"summary":"The Windows version of Hola Browser was compromised in a supply chain attack that delivered an undeclared cryptocurrency miner executable to users. The compromise affected the browser's distribution or update mechanism.","iocs":{"packages":["Hola Browser"]},"remediation":["Uninstall Hola Browser for Windows immediately","Scan systems for cryptocurrency miner processes and artifacts","Monitor system resources for unusual CPU usage or network activity indicative of cryptomining","Update to a patched version of Hola Browser once available from official sources","Consider using alternative browsers from trusted vendors"],"sources":[{"url":"https://www.bleepingcomputer.com/news/security/hola-browser-for-windows-compromised-to-deliver-cryptominer/","title":"Hola Browser for Windows compromised to deliver cryptominer","publisher":"BleepingComputer"}]},{"id":"new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack-12l3ww","url":"https://supplychainattack.org/incident/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack-12l3ww","title":"New IronWorm malware hits 36 packages in npm supply-chain attack","status":"active","severity":"high","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-04","lastUpdated":"2026-06-07","blastRadius":"36 npm packages with potential widespread downstream impact depending on package popularity and usage","affectedEntities":[{"name":"36 npm packages","note":"Specific package names not provided in source text"}],"summary":"A supply-chain attack infected 36 packages on npm with IronWorm infostealer malware. The attack compromised multiple packages in the Node Package Manager ecosystem, potentially affecting downstream users and applications.","iocs":null,"remediation":["Identify and audit all npm packages installed in your projects for the 36 affected packages","Remove or update any affected packages immediately","Review package.lock or yarn.lock files for evidence of installation","Scan systems that may have executed code from affected packages for IronWorm malware indicators","Monitor npm security advisories for the specific package names and versions","Implement stricter package vetting and dependency scanning in your development pipeline"],"sources":[{"url":"https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/","title":"New IronWorm malware hits 36 packages in npm supply-chain attack","publisher":"BleepingComputer"}]},{"id":"multiple-redhat-cloud-services-npm-packages-compromised-1gtdw3","url":"https://supplychainattack.org/incident/multiple-redhat-cloud-services-npm-packages-compromised-1gtdw3","title":"Multiple redhat-cloud-services npm Packages compromised","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-02","lastUpdated":"2026-06-07","blastRadius":"Multiple packages in @redhat-cloud-services npm scope; affects RedHat Cloud Services frontend ecosystem and any projects using these packages","affectedEntities":[{"name":"@redhat-cloud-services (multiple packages)","note":"Scope-wide compromise affecting multiple packages in the RedHat Cloud Services namespace"}],"summary":"Multiple npm packages in the @redhat-cloud-services scope were compromised with malicious payloads. The attack used preinstall hooks to execute a multi-stage credential harvester targeting cloud and CI/CD platform secrets.","iocs":{"packages":["@redhat-cloud-services (multiple packages)"]},"remediation":["Immediately audit npm install logs to identify if any affected @redhat-cloud-services packages were installed","Rotate all credentials and secrets that may have been exposed (GitHub Actions secrets, AWS keys, GCP credentials, Azure credentials, npm tokens, CircleCI tokens)","Audit account activity and access logs for unauthorized changes or access","Upgrade all @redhat-cloud-services packages to patched versions once available","Review npm package.json dependencies and lock files to identify exact versions that were installed","Monitor for suspicious activity in connected cloud and CI/CD platforms"],"sources":[{"url":"https://www.stepsecurity.io/blog/multiple-redhat-cloud-services-npm-packages-compromised","title":"Multiple redhat-cloud-services npm Packages compromised","publisher":"StepSecurity"}]},{"id":"miasma-supply-chain-attack-targeting-redhat-npm-packages-1kq1ng","url":"https://supplychainattack.org/incident/miasma-supply-chain-attack-targeting-redhat-npm-packages-1kq1ng","title":"Miasma: Supply Chain Attack Targeting RedHat npm Packages","status":"active","severity":"high","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-07","blastRadius":"RedHat npm ecosystem users","affectedEntities":[{"name":"RedHat npm packages","note":"Specific package names not disclosed in source text"}],"summary":"Miasma is a supply chain attack targeting RedHat npm packages, leveraging malicious npm packages based on the open-sourced Mini Shai-Hulud malware. Specific affected packages and versions were not disclosed in the available source text.","iocs":null,"remediation":["Review npm package dependencies for any packages linked to the Miasma attack","Monitor for and remove any malicious npm packages from your supply chain","Implement npm package verification and integrity checks","Consult Wiz's published indicators of compromise (IoCs) for detection","Update to patched versions of affected packages once available"],"sources":[{"url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages","title":"Miasma: Supply Chain Attack Targeting RedHat npm Packages","publisher":"Wiz"}]},{"id":"laravel-lang-supply-chain-attack-every-tag-across-multiple-composer-packages-rew-h0akan","url":"https://supplychainattack.org/incident/laravel-lang-supply-chain-attack-every-tag-across-multiple-composer-packages-rew-h0akan","title":"Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets","status":"contained","severity":"critical","ecosystems":["other"],"attackVectors":["account-takeover","malicious-commit"],"disclosedDate":"2026-05-22","lastUpdated":"2026-06-07","blastRadius":"Multiple popular Composer packages in the Laravel-Lang organization; any developer running composer update or fresh installs of affected packages","affectedEntities":[{"name":"laravel-lang/http-statuses"},{"name":"laravel-lang/actions"},{"name":"laravel-lang/attributes"}],"summary":"On May 22, 2026, an attacker with push access to the Laravel-Lang GitHub organization rewrote git tags across multiple Composer packages to distribute malicious payloads that exfiltrate CI secrets. The attack affected laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes, targeting developers who ran composer update or fresh installations.","iocs":null,"remediation":["Revoke and regenerate any CI secrets (API keys, tokens, credentials) that may have been exposed","Audit all CI/CD workflows and recent actions for unauthorized access or exfiltration","Update to patched versions of laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes once released","Enable two-factor authentication (2FA) and review access controls for high-privilege accounts in the Laravel-Lang GitHub organization","Review git history and tags across all Laravel-Lang repositories for other unauthorized changes","Consider signing commits and tags with GPG to detect future tampering","Monitor for any connections to the typosquatted attacker domain mentioned in the incident report"],"sources":[{"url":"https://www.stepsecurity.io/blog/laravel-lang-supply-chain-attack","title":"Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets","publisher":"StepSecurity"}]},{"id":"microsoft-s-durabletask-pypi-package-compromised-in-supply-chain-attack-vomlz6","url":"https://supplychainattack.org/incident/microsoft-s-durabletask-pypi-package-compromised-in-supply-chain-attack-vomlz6","title":"Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack","status":"contained","severity":"critical","ecosystems":["pypi"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-19","lastUpdated":"2026-06-07","blastRadius":"Unknown number of Python developers and organizations using the affected durabletask package versions; potential for widespread credential theft and lateral movement in cloud environments.","affectedEntities":[{"name":"durabletask","note":"Microsoft's official Python SDK; three malicious versions published to PyPI"}],"summary":"Three malicious versions of Microsoft's durabletask Python package were published to PyPI on May 19, 2026, containing a 28 KB payload that steals credentials from cloud providers (AWS, Azure, GCP), Kubernetes, password managers, and developer tools. The attack has been attributed to the TeamPCP threat group and exhibits indicators of Eastern European cybercrime operations.","iocs":{"packages":["durabletask"]},"remediation":["Immediately identify and audit all systems that installed the affected durabletask versions from PyPI between May 19, 2026 and the malicious versions' removal","Rotate credentials for AWS, Azure, GCP, Kubernetes, password managers, and affected developer tools on potentially compromised systems","Monitor cloud infrastructure for signs of lateral movement and unauthorized access","Pin durabletask to a known-good version from before May 19, 2026 or wait for an official patched release from Microsoft","Review logs from compromised systems for data exfiltration and unauthorized API calls"],"sources":[{"url":"https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack","title":"Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack","publisher":"StepSecurity"}]},{"id":"active-supply-chain-attack-malicious-node-ipc-versions-published-to-npm-kldfl8","url":"https://supplychainattack.org/incident/active-supply-chain-attack-malicious-node-ipc-versions-published-to-npm-kldfl8","title":"Active Supply Chain Attack: Malicious node-ipc Versions Published to npm","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-19","lastUpdated":"2026-06-07","blastRadius":"Multiple npm package consumers; potential exposure of cloud credentials, SSH keys, and CI/CD secrets","affectedEntities":[{"name":"node-ipc","note":"Three malicious versions containing obfuscated payload for credential theft"}],"summary":"StepSecurity identified multiple malicious releases of the popular node-ipc npm package containing an obfuscated payload designed to steal cloud credentials, SSH keys, and CI/CD secrets. The attack is ongoing and under active analysis.","iocs":{"packages":["node-ipc"]},"remediation":["Immediately audit npm package dependencies for node-ipc presence and version","Remove or update to a known-safe version of node-ipc if installed","Rotate all cloud credentials, SSH keys, and CI/CD secrets that may have been exposed","Review logs for suspicious access patterns during the compromise window","Monitor for unauthorized access to cloud resources and repositories","Implement package pinning and verification practices to prevent future compromise"],"sources":[{"url":"https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack","title":"Active Supply Chain Attack: Malicious node-ipc Versions Published to npm","publisher":"StepSecurity"}]},{"id":"shai-hulud-here-we-go-again-mass-npm-supply-chain-attack-hits-the-antv-ecosystem-1kfeld","url":"https://supplychainattack.org/incident/shai-hulud-here-we-go-again-mass-npm-supply-chain-attack-hits-the-antv-ecosystem-1kfeld","title":"Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem","status":"active","severity":"critical","ecosystems":["npm","other"],"attackVectors":["compromised-package","account-takeover"],"disclosedDate":"2026-05-19","lastUpdated":"2026-06-07","blastRadius":"Thousands of public GitHub repositories affected; multiple packages across Alibaba's AntV ecosystem and dependent projects compromised","affectedEntities":[{"name":"echarts-for-react","note":"AntV ecosystem package"},{"name":"timeago.js","note":"AntV ecosystem package"},{"name":"AntV ecosystem packages","note":"Multiple packages across Alibaba's data visualization ecosystem"}],"summary":"A new wave of the Mini Shai-Hulud worm has compromised multiple npm packages across Alibaba's AntV data visualization ecosystem, including echarts-for-react and timeago.js. Stolen CI/CD secrets are being exfiltrated and dumped to thousands of public GitHub repositories as the attack spreads.","iocs":null,"remediation":["Review the linked advisory; remove or upgrade the affected component and rotate any exposed credentials."],"sources":[{"url":"https://www.stepsecurity.io/blog/shai-hulud-here-we-go-again-mass-npm-supply-chain-attack-hits-the-antv-ecosystem","title":"Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem","publisher":"StepSecurity"}]},{"id":"durabletask-teampcp-s-latest-pypi-compromise-84w43k","url":"https://supplychainattack.org/incident/durabletask-teampcp-s-latest-pypi-compromise-84w43k","title":"durabletask: TeamPCP's Latest PyPi Compromise","status":"resolved","severity":"high","ecosystems":["pypi"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-19","lastUpdated":"2026-06-07","blastRadius":"Unknown scope; PyPI package with potential wide reach depending on adoption.","affectedEntities":[{"name":"durabletask","note":"PyPI package compromised with malicious versions"}],"summary":"Malicious versions of the PyPI package durabletask were published, attributed to the TeamPCP threat actor. The attack matches known TeamPCP tactics used in prior supply chain compromises.","iocs":{"packages":["durabletask"]},"remediation":["Immediately audit all systems for installation of durabletask and identify affected versions","Remove or upgrade durabletask to a known clean version from PyPI","Review package dependencies and supply chain for similar compromises","Enable package integrity verification and monitor PyPI for malicious uploads","Implement runtime detection for indicators of compromise from malicious durabletask execution"],"sources":[{"url":"https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack","title":"durabletask: TeamPCP's Latest PyPi Compromise","publisher":"Wiz"}]},{"id":"the-worm-that-keeps-on-digging-teampcp-hits-antv-in-latest-wave-1lm5r0","url":"https://supplychainattack.org/incident/the-worm-that-keeps-on-digging-teampcp-hits-antv-in-latest-wave-1lm5r0","title":"The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave","status":"active","severity":"critical","ecosystems":["npm","other"],"attackVectors":["account-takeover","compromised-package","malicious-maintainer"],"disclosedDate":"2026-05-19","lastUpdated":"2026-06-07","blastRadius":"Multi-ecosystem; affects GitHub, NPM, and VSCode users; credential theft and persistence mechanisms enable lateral movement.","affectedEntities":[{"name":"@antv","note":"Targeted by TeamPCP in supply chain compromise"}],"summary":"TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.","iocs":null,"remediation":["Immediately audit and revoke any credentials exposed through GitHub or VSCode integrations","Review @antv package versions and their installation sources; verify package integrity and provenance","Scan development environments for persistence mechanisms or suspicious artifacts","Monitor GitHub and NPM accounts for unauthorized activity or commits","Implement Code Signing verification for package installations","Isolate affected systems and conduct forensic analysis to identify lateral movement","Apply principle of least privilege to GitHub tokens and NPM credentials"],"sources":[{"url":"https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain","title":"The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave","publisher":"Wiz"}]},{"id":"teampcp-s-mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-compromis-19lamt","url":"https://supplychainattack.org/incident/teampcp-s-mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-compromis-19lamt","title":"TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages","status":"active","severity":"critical","ecosystems":["npm","other"],"attackVectors":["compromised-package","build-system-compromise"],"disclosedDate":"2026-05-12","lastUpdated":"2026-06-07","blastRadius":"Multiple npm packages in the TanStack ecosystem and potentially spreading across npm","affectedEntities":[{"name":"@tanstack","note":"Official TanStack npm packages compromised"}],"summary":"The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. The attack was first detected by StepSecurity in official @tanstack packages and is spreading across the npm ecosystem in real time.","iocs":{"packages":["@tanstack"]},"remediation":["Identify and audit all CI/CD pipeline configurations for the affected @tanstack packages and any packages that depend on them","Rotate all developer credentials and secrets that may have been exposed","Review npm account access logs and implement additional authentication controls (e.g., 2FA) for npm accounts","Scan build systems and deployment infrastructure for signs of compromise or injected malicious code","Subscribe to StepSecurity's OSS Package Security Feed for ongoing alerts about this campaign","Audit package dependencies for compromised versions and update to clean releases"],"sources":[{"url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem","title":"TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages","publisher":"StepSecurity"}]},{"id":"mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised-19yya2","url":"https://supplychainattack.org/incident/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised-19yya2","title":"Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised","status":"active","severity":"high","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-12","lastUpdated":"2026-06-07","blastRadius":"Multiple high-value npm packages including TanStack ecosystem","affectedEntities":[{"name":"TanStack ecosystem packages","note":"Multiple packages targeted; specific versions not provided in available excerpt"},{"name":"Other npm packages","note":"Referenced as part of Mini Shai-Hulud campaign; specific names and versions not detailed"}],"summary":"A supply chain campaign called \"Mini Shai-Hulud\" has compromised multiple npm packages, including high-value TanStack developer tooling. The campaign appears to be an ongoing effort targeting critical npm infrastructure.","iocs":{"packages":["tanstack"]},"remediation":["Identify and audit all npm dependencies from TanStack and associated packages in your supply chain","Review package versions and compare against known-compromised versions from the Mini Shai-Hulud campaign","Implement enhanced dependency scanning and monitoring for npm packages","Follow Wiz's detection and mitigation guidance for compromised packages","Consider pinning dependencies to known-safe versions pending patched releases","Monitor npm registry and security advisories for updated threat information"],"sources":[{"url":"https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised","title":"Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised","publisher":"Wiz"}]},{"id":"teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package-1du39z","url":"https://supplychainattack.org/incident/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package-1du39z","title":"TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package","status":"contained","severity":"critical","ecosystems":["pypi"],"attackVectors":["compromised-package","malicious-maintainer"],"disclosedDate":"2026-05-04","lastUpdated":"2026-06-07","blastRadius":"Unknown - dependent on xinference adoption and versions exposed","affectedEntities":[{"name":"xinference","note":"PyPI package compromised with two-stage credential stealer"}],"summary":"The xinference package on PyPI was compromised with a two-stage credential stealer attributed to the TeamPCP threat actor. The malicious code was injected into the package, potentially affecting users who installed compromised versions.","iocs":{"packages":["xinference"]},"remediation":["Identify and audit all systems that installed xinference during the attack window","Rotate all credentials on affected systems immediately","Upgrade xinference to a patched, verified-clean version from the maintainers","Review package source repository commit history for unauthorized changes","Monitor for credential theft indicators and suspicious authentication activity","Implement package pinning and verification controls in package management workflows"],"sources":[{"url":"https://www.stepsecurity.io/blog/teampcp-injects-two-stage-credential-stealer-into-xinference-pypi-package","title":"TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package","publisher":"StepSecurity"}]},{"id":"bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-g-n1hhgh","url":"https://supplychainattack.org/incident/bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-g-n1hhgh","title":"Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools","status":"contained","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-04","lastUpdated":"2026-06-07","blastRadius":"Developers using @bitwarden/cli, GitHub Actions workflows, and AI tooling environments","affectedEntities":[{"name":"@bitwarden/cli","versions":["2026.4.0"]}],"summary":"@bitwarden/cli@2026.4.0 was compromised on npm with a malicious preinstall hook that deployed an obfuscated credential stealer. The malware harvests developer secrets, GitHub Actions tokens, and AI tool configurations, exfiltrating encrypted data to a Checkmarx-impersonating domain.","iocs":{"domains":["audit.checkmarx.cx"],"packages":["@bitwarden/cli@2026.4.0"]},"remediation":["Immediately uninstall or upgrade @bitwarden/cli from version 2026.4.0 to a verified patched version","Audit npm install logs and lock files for evidence of package installation between the compromise and remediation dates","Rotate all developer credentials, GitHub personal access tokens, and API keys that may have been exposed","Review GitHub Actions workflow history and commit logs for unauthorized modifications or malicious injections","Scan ~/.claude.json and other AI tool configuration directories on affected systems for evidence of exfiltration","Monitor network traffic and logs for connections to audit.checkmarx.cx or other suspicious domains","Regenerate CI/CD secrets and runner tokens within GitHub Actions and other CI/CD platforms","Implement package registry integrity monitoring and preinstall script auditing to prevent future supply chain attacks"],"sources":[{"url":"https://www.stepsecurity.io/blog/bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-github-actions-and-ai-tools","title":"Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer Targets Developers, GitHub Actions, and AI Tools","publisher":"StepSecurity"}]},{"id":"a-mini-shai-hulud-has-appeared-obfuscated-bun-runtime-payloads-hit-sap-related-n-1ec9xf","url":"https://supplychainattack.org/incident/a-mini-shai-hulud-has-appeared-obfuscated-bun-runtime-payloads-hit-sap-related-n-1ec9xf","title":"A Mini Shai-Hulud Has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages","status":"active","severity":"high","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-04","lastUpdated":"2026-06-07","blastRadius":"SAP ecosystem; npm-dependent applications","affectedEntities":[{"name":"SAP-related npm packages","note":"At least two packages confirmed compromised"}],"summary":"StepSecurity identified an npm supply chain attack campaign targeting SAP-ecosystem packages using preinstall hooks to download and execute an obfuscated Bun runtime payload. At least two SAP-related npm packages have been confirmed compromised in this active campaign.","iocs":{"packages":["<UNKNOWN>"]},"remediation":["Audit npm package installations and preinstall hooks for suspicious activity","Review and update SAP-related npm dependencies to patched versions once available","Inspect package-lock.json and node_modules for unauthorized Bun runtime downloads","Monitor for and block execution of unverified Bun runtime binaries in build and development environments","Enable strict npm audit scanning and consider using lock file integrity verification","Check npm audit logs and installation history for affected packages"],"sources":[{"url":"https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared","title":"A Mini Shai-Hulud Has Appeared: Obfuscated Bun Runtime Payloads Hit SAP-Related npm Packages","publisher":"StepSecurity"}]},{"id":"shai-hulud-worm-pivots-to-multi-cloud-intercom-client-7-0-4-hijacked-361-000-wee-5p9im6","url":"https://supplychainattack.org/incident/shai-hulud-worm-pivots-to-multi-cloud-intercom-client-7-0-4-hijacked-361-000-wee-5p9im6","title":"Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope","status":"active","severity":"critical","ecosystems":["npm","other"],"attackVectors":["compromised-package","build-system-compromise","account-takeover"],"disclosedDate":"2026-05-04","lastUpdated":"2026-06-07","blastRadius":"Extremely broad. intercom-client@7.0.4 has 361,510 weekly downloads. The package is an official Node.js SDK used across numerous organizations, making this one of the highest-impact npm compromises. CI/CD credentials stolen from prior victims are enabling continued propagation.","affectedEntities":[{"name":"intercom-client","versions":["7.0.4"]},{"name":"mbt","note":"Compromised prior; CI/CD stolen from this victim","versions":["1.2.48"]},{"name":"@cap-js/sqlite","note":"Compromised prior; CI/CD stolen from this victim","versions":["2.2.2"]}],"summary":"The Shai-Hulud worm has hijacked intercom-client@7.0.4 (361,510 weekly downloads) via a compromised GitHub Actions OIDC publishing pipeline, 29 hours after compromising mbt@1.2.48 and @cap-js/sqlite@2.2.2. The worm is actively propagating through CI/CD infrastructure stolen from earlier victims, targeting multi-cloud credentials (AWS, GCP, Azure).","iocs":{"packages":["intercom-client@7.0.4","mbt@1.2.48","@cap-js/sqlite@2.2.2"]},"remediation":["Immediately revoke intercom-client@7.0.4; upgrade to the latest patched version once available from official Intercom maintainers","Audit and revoke any npm publish tokens, GitHub Actions secrets, and OIDC credentials that may have been exposed through mbt@1.2.48 or @cap-js/sqlite@2.2.2 compromises","Review CI/CD logs for unauthorized package publications or credential exfiltration across all npm packages your organization publishes","Rotate all cloud credentials (AWS IAM keys, GCP service accounts, Azure service principals) that may have been present in CI/CD environments or application runtime","Monitor for unexpected outbound connections or credential exfiltration attempts from applications using intercom-client@7.0.4","Implement stricter OIDC token policies in GitHub Actions, limiting token permissions and implementing audience restrictions","Conduct incident response on any systems running intercom-client@7.0.4, treating as potential compromise with multi-cloud credential exposure"],"sources":[{"url":"https://www.stepsecurity.io/blog/shai-hulud-worm-pivots-to-multi-cloud-intercom-client-hijacked","title":"Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope","publisher":"StepSecurity"}]},{"id":"lightning-obfuscated-javascript-credential-stealer-bundled-in-pypi-wheel-1h10or","url":"https://supplychainattack.org/incident/lightning-obfuscated-javascript-credential-stealer-bundled-in-pypi-wheel-1h10or","title":"lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel","status":"contained","severity":"high","ecosystems":["pypi"],"attackVectors":["compromised-package","malicious-maintainer"],"disclosedDate":"2026-04-30","lastUpdated":"2026-06-07","blastRadius":"PyPI package users; direct dependents of lightning 2.6.2 and 2.6.3","affectedEntities":[{"name":"lightning","versions":["2.6.2","2.6.3"]}],"summary":"The lightning PyPI package versions 2.6.2 and 2.6.3 were compromised on April 30, 2026, containing obfuscated JavaScript code designed to steal credentials. The project's GitHub account showed signs of compromise, with suspicious responses closing vulnerability reports.","iocs":null,"remediation":["Immediately uninstall or upgrade lightning to a patched version beyond 2.6.3","Audit any systems that installed lightning 2.6.2 or 2.6.3 for credential compromise or unauthorized access","Review git history and access logs for the lightning GitHub repository to identify the exact point of compromise","Implement code signing and verification for all PyPI packages in your dependency chain","Use dependency scanning tools to detect vulnerable or compromised packages in real-time"],"sources":[{"url":"https://www.stepsecurity.io/blog/lightning-obfuscated-javascript-credential-stealer-bundled-in-pypi-wheel","title":"lightning: Obfuscated JavaScript Credential Stealer Bundled in PyPI Wheel","publisher":"StepSecurity"}]},{"id":"supply-chain-campaign-targets-sap-npm-packages-with-credential-stealing-malware-1ghzqn","url":"https://supplychainattack.org/incident/supply-chain-campaign-targets-sap-npm-packages-with-credential-stealing-malware-1ghzqn","title":"Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware","status":"active","severity":"high","ecosystems":["npm"],"attackVectors":["compromised-package","malicious-commit"],"disclosedDate":"2026-04-29","lastUpdated":"2026-06-07","blastRadius":"SAP ecosystem and npm users installing malicious packages","affectedEntities":[{"name":"SAP npm packages","note":"Specific package names not disclosed in source text"}],"summary":"A supply chain campaign dubbed \"Mini Shai Hulud\" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.","iocs":null,"remediation":["Review npm package dependencies for SAP-related packages and check for suspicious versions","Audit supply chain security posture for npm packages using tools recommended by Wiz","Implement npm package signing verification and integrity checking","Monitor for lateral movement or credential theft indicators if potentially affected packages were installed","Follow Wiz's detailed remediation guidance available in their full security report"],"sources":[{"url":"https://www.wiz.io/blog/mini-shai-hulud-supply-chain-sap-npm","title":"Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware","publisher":"Wiz"}]},{"id":"context-ai-oauth-token-compromise-1h8o51","url":"https://supplychainattack.org/incident/context-ai-oauth-token-compromise-1h8o51","title":"Context.ai OAuth Token Compromise","status":"active","severity":"high","ecosystems":["other"],"attackVectors":["account-takeover","third-party-vendor-breach"],"disclosedDate":"2026-04-20","lastUpdated":"2026-06-07","blastRadius":"Unknown; depends on scope of OAuth token misuse and number of affected organizations using Context.ai integrations","affectedEntities":[{"name":"Context.ai","note":"OAuth tokens compromised; SaaS vendor"}],"summary":"Context.ai OAuth tokens were compromised, allowing attackers to conduct supply chain attacks through trusted SaaS integrations. Details on scope, timeline, and remediation steps are not provided in the source text.","iocs":null,"remediation":["Review and audit all OAuth token usage and permissions associated with Context.ai integrations","Revoke compromised OAuth tokens immediately","Rotate credentials and review access logs for unauthorized activity","Implement additional authentication controls and monitoring on SaaS integrations","Follow guidance published by Context.ai and Wiz on remediation steps"],"sources":[{"url":"https://www.wiz.io/blog/contextai-oauth-token-compromise","title":"Context.ai OAuth Token Compromise","publisher":"Wiz"}]},{"id":"velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-lau-10jrzk","url":"https://supplychainattack.org/incident/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-lau-10jrzk","title":"@velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-04-09","lastUpdated":"2026-06-07","blastRadius":"Unknown scope; affects any developer or CI/CD environment that imported the malicious package version on macOS","affectedEntities":[{"name":"@velora-dex/sdk"}],"summary":"A malicious version of the @velora-dex/sdk npm package was published, delivering an architecture-aware macOS backdoor that activates on import with no visible indicators. The attack occurred at the registry level without repository commits or install hooks.","iocs":{"packages":["@velora-dex/sdk"]},"remediation":["Immediately remove or downgrade @velora-dex/sdk to a known-safe version prior to the compromise","Audit all macOS machines and CI/CD environments that may have imported the malicious package for signs of launchctl-based persistence mechanisms","Check LaunchAgent and LaunchDaemon directories (/Library/LaunchDaemons, /Library/LaunchAgents, ~/Library/LaunchAgents) for suspicious entries","Review process execution logs and network traffic for signs of backdoor activity","Consider using security scanning tools to detect the specific backdoor artifacts if the package version is identified","Monitor npm security advisories for official guidance and a list of affected versions"],"sources":[{"url":"https://www.stepsecurity.io/blog/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-launchctl-persistence","title":"@velora-dex/sdk Compromised on npm: Malicious Version Drops macOS Backdoor via launchctl Persistence","publisher":"StepSecurity"}]},{"id":"10-layers-deep-how-stepsecurity-stops-teampcp-s-trivy-supply-chain-attack-on-git-1gzwzb","url":"https://supplychainattack.org/incident/10-layers-deep-how-stepsecurity-stops-teampcp-s-trivy-supply-chain-attack-on-git-1gzwzb","title":"10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions","status":"contained","severity":"high","ecosystems":["other","container-registry"],"attackVectors":["compromised-package","account-takeover"],"disclosedDate":"2026-04-09","lastUpdated":"2026-06-07","blastRadius":"GitHub Actions users relying on Trivy and KICS actions","affectedEntities":[{"name":"Trivy","note":"76 version tags weaponized by TeamPCP"},{"name":"KICS","note":"Similar attack following same playbook"}],"summary":"TeamPCP compromised 76 Trivy version tags on GitHub Actions in an overnight attack, followed by a similar KICS compromise using the same methodology. The attacks targeted credential exfiltration through malicious GitHub Actions.","iocs":null,"remediation":["Audit all GitHub Actions workflows using Trivy and KICS for suspicious activity or credential exposure","Rotate any credentials or secrets that may have been exposed through compromised action versions","Implement runtime detection and monitoring of GitHub Actions execution to identify anomalous behavior","Pin GitHub Actions to specific commit SHAs rather than version tags to prevent tag-based attacks","Review GitHub Actions permissions and implement least-privilege access controls","Monitor for and block execution of known compromised action versions"],"sources":[{"url":"https://www.stepsecurity.io/blog/10-layers-deep-how-stepsecurity-stops-teampcps-trivy-supply-chain-attack-on-github-actions","title":"10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions","publisher":"StepSecurity"}]},{"id":"cline-supply-chain-attack-detected-cline-2-3-0-silently-installs-openclaw-fw2a0t","url":"https://supplychainattack.org/incident/cline-supply-chain-attack-detected-cline-2-3-0-silently-installs-openclaw-fw2a0t","title":"Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw","status":"contained","severity":"high","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-04-09","lastUpdated":"2026-06-07","blastRadius":"Users of cline v2.3.0 who installed the affected version.","affectedEntities":[{"name":"cline","versions":["2.3.0"]}],"summary":"Version 2.3.0 of the npm package cline was found to silently install OpenClaw, a malicious payload. The attack was detected and the incident is contained.","iocs":{"packages":["cline@2.3.0"]},"remediation":["Immediately uninstall or downgrade from cline@2.3.0 to a known-safe prior version","Audit systems that installed cline@2.3.0 for signs of OpenClaw or related malicious activity","Review npm package lock files and dependency trees to identify affected installations","Monitor for suspicious processes or network connections associated with OpenClaw","Update to a patched version of cline once released by maintainers","Consider using package integrity verification tools to detect similar attacks in the future"],"sources":[{"url":"https://www.stepsecurity.io/blog/cline-supply-chain-attack-detected-cline-2-3-0-silently-installs-openclaw","title":"Cline Supply Chain Attack Detected: cline@2.3.0 Silently Installs OpenClaw","publisher":"StepSecurity"}]},{"id":"axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan-1py3ac","url":"https://supplychainattack.org/incident/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan-1py3ac","title":"axios Compromised on npm - Malicious Versions Drop Remote Access Trojan","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["account-takeover","compromised-package"],"disclosedDate":"2026-04-09","lastUpdated":"2026-06-07","blastRadius":"Extremely widespread; axios is a core HTTP client library with millions of weekly downloads and deep integration across JavaScript/Node.js ecosystems","affectedEntities":[{"name":"axios","versions":["1.14.1","0.30.4"]}],"summary":"A maintainer account for the widely-used axios npm package was compromised and used to publish poisoned versions 1.14.1 and 0.30.4. The malicious releases contained a hidden dependency that drops a cross-platform remote access trojan (RAT).","iocs":{"packages":["axios@1.14.1","axios@0.30.4"]},"remediation":["Immediately audit and revoke if necessary: npm access tokens and authentication credentials associated with maintainer accounts","For all systems: verify installed axios versions are not 1.14.1 or 0.30.4; downgrade to a known-safe earlier version if affected","Scan systems for network connections to unknown C2 servers and suspicious process execution initiated by the RAT","Review package-lock.json or yarn.lock files to identify which projects locked these poisoned versions","Enable npm 2FA (two-factor authentication) on all npm accounts with publish permissions","Monitor npm audit feeds and security advisories for official patched releases from axios maintainers","If you run your own registry or proxy, apply filters to block these specific versions from being installed downstream"],"sources":[{"url":"https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan","title":"axios Compromised on npm - Malicious Versions Drop Remote Access Trojan","publisher":"StepSecurity"}]},{"id":"behind-the-scenes-how-stepsecurity-detected-and-helped-remediate-the-largest-npm-1fmmcy","url":"https://supplychainattack.org/incident/behind-the-scenes-how-stepsecurity-detected-and-helped-remediate-the-largest-npm-1fmmcy","title":"Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack","status":"resolved","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package","malicious-maintainer"],"disclosedDate":"2026-04-09","lastUpdated":"2026-06-07","blastRadius":"Very large - axios is one of the most widely downloaded npm packages; direct impact on all downstream dependents.","affectedEntities":[{"name":"axios"}],"summary":"StepSecurity detected a compromise of axios, described as the largest npm supply chain attack on a single package by download count. A state-sponsored threat actor is reported to have actively suppressed warnings by deleting GitHub issues. Detection occurred before public disclosure.","iocs":{"packages":["axios"]},"remediation":["Update axios to a patched version released after the compromise was disclosed","Review audit logs for axios dependency installations during the incident window","Scan downstream projects for any artifacts or behavior introduced by compromised axios versions","Monitor for follow-on exploitation or lateral movement from systems that may have executed compromised code","Enable strict package verification and signing requirements in dependency management workflows"],"sources":[{"url":"https://www.stepsecurity.io/blog/behind-the-scenes-how-stepsecurity-detected-and-helped-remediate-the-largest-npm-supply-chain-attack","title":"Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack","publisher":"StepSecurity"}]},{"id":"six-accounts-one-actor-inside-the-prt-scan-supply-chain-campaign-1s2s4f","url":"https://supplychainattack.org/incident/six-accounts-one-actor-inside-the-prt-scan-supply-chain-campaign-1s2s4f","title":"Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign","status":"active","severity":"high","ecosystems":["other"],"attackVectors":["malicious-commit","account-takeover"],"disclosedDate":"2026-04-04","lastUpdated":"2026-06-07","blastRadius":"Supply chain developers using prt-scan and similar CI/CD systems exploiting pull_request_target","affectedEntities":[{"name":"prt-scan","note":"Target of supply chain campaign exploiting pull_request_target GitHub Actions feature"}],"summary":"A coordinated supply chain campaign dubbed \"prt-scan\" involved a single attacker controlling six GitHub accounts to exploit the pull_request_target GitHub Actions trigger. The campaign represents a follow-up to the earlier hackerbot-claw campaign, targeting CI/CD workflows with AI-powered attack methods.","iocs":null,"remediation":["Audit and restrict use of pull_request_target in GitHub Actions workflows; prefer pull_request trigger with explicit secret management","Implement mandatory code review and approval gates for all pull requests before CI/CD execution","Monitor GitHub account activity for suspicious patterns, including mass account creation and coordinated pull request activity","Apply the principle of least privilege to GitHub Actions secrets and environment variables","Use tools to detect and alert on unusual CI/CD pipeline modifications or account behavior"],"sources":[{"url":"https://www.wiz.io/blog/six-accounts-one-actor-inside-the-prt-scan-supply-chain-campaign","title":"Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign","publisher":"Wiz"}]},{"id":"malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-mac-1fkfap","url":"https://supplychainattack.org/incident/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-mac-1fkfap","title":"Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor","status":"active","severity":"critical","ecosystems":["container-registry","other"],"attackVectors":["compromised-package","malicious-maintainer"],"disclosedDate":"2026-04-02","lastUpdated":"2026-06-07","blastRadius":"Solidity and Web3 developers using the affected IoliteLabs VSCode extensions on Windows, macOS, and Linux","affectedEntities":[{"name":"solidity-macos","note":"IoliteLabs VSCode extension"},{"name":"solidity-windows","note":"IoliteLabs VSCode extension"},{"name":"solidity-linux","note":"IoliteLabs VSCode extension"}],"summary":"Three IoliteLabs VSCode extensions (solidity-macos, solidity-windows, solidity-linux) containing obfuscated backdoors targeting Solidity and Web3 developers across Windows, macOS, and Linux. The backdoors download remote payloads and establish persistence mechanisms on infected systems.","iocs":{"packages":["solidity-macos","solidity-windows","solidity-linux"]},"remediation":["Immediately uninstall solidity-macos, solidity-windows, and solidity-linux VSCode extensions from all systems","Scan systems for persistence mechanisms and remote payloads left by the backdoor","Review system logs and network traffic for suspicious outbound connections from the backdoor","Reset credentials and API keys used on affected systems","Update VSCode and all extensions to the latest versions from official sources","Monitor for indicators of compromise (IOCs) published by StepSecurity"],"sources":[{"url":"https://www.stepsecurity.io/blog/malicious-iolitelabs-vscode-extensions-target-solidity-developers-on-windows-macos-and-linux-with-backdoor","title":"Malicious IoliteLabs VSCode Extensions Target Solidity Developers on Windows, macOS, and Linux with Backdoor","publisher":"StepSecurity"}]},{"id":"axios-npm-distribution-compromised-in-supply-chain-attack-81wu4e","url":"https://supplychainattack.org/incident/axios-npm-distribution-compromised-in-supply-chain-attack-81wu4e","title":"Axios NPM Distribution Compromised in Supply Chain Attack","status":"active","severity":"high","ecosystems":["npm"],"attackVectors":["account-takeover","malicious-commit"],"disclosedDate":"2026-03-31","lastUpdated":"2026-06-07","blastRadius":"axios npm package and all projects with active dependencies","affectedEntities":[{"name":"axios"}],"summary":"A compromised axios maintainer account led to malicious npm releases affecting projects with active dependencies on the package. The incident involved unauthorized releases propagated through the npm distribution network.","iocs":null,"remediation":["Review all axios dependencies and identify currently installed versions","Update axios to the latest patched version from npm","Audit project logs for evidence of code execution from malicious axios releases","Implement dependency integrity checking and lock file verification","Enable account security features for npm maintainer accounts including 2FA","Review and revoke any suspicious API tokens or credentials"],"sources":[{"url":"https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack","title":"Axios NPM Distribution Compromised in Supply Chain Attack","publisher":"Wiz"}]},{"id":"teampcp-plants-wav-steganography-credential-stealer-in-telnyx-pypi-package-iwek9d","url":"https://supplychainattack.org/incident/teampcp-plants-wav-steganography-credential-stealer-in-telnyx-pypi-package-iwek9d","title":"TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package","status":"contained","severity":"critical","ecosystems":["pypi"],"attackVectors":["compromised-package"],"disclosedDate":"2026-03-27","lastUpdated":"2026-06-07","blastRadius":"Distributed via PyPI; affected all users who installed the malicious telnyx SDK releases. Scope depends on adoption of the two compromised releases.","affectedEntities":[{"name":"telnyx","note":"Python SDK; two releases compromised with WAV steganography credential stealer"}],"summary":"On March 27, 2026, TeamPCP injected a WAV steganography-based credential stealer into two releases of the telnyx Python SDK on PyPI. The group was identified by shared cryptographic signatures and exfiltration methods matching their earlier litellm compromise.","iocs":{"packages":["telnyx"]},"remediation":["Immediately revoke and rotate any credentials that may have been exposed through systems running the compromised telnyx SDK releases","Audit PyPI package installation logs to identify which versions of telnyx were deployed and when","Update to a patched version of telnyx Python SDK once released by Telnyx","Scan systems for indicators of the tpcp.tar.gz exfiltration artifact and associated RSA-4096 key signatures","Review authentication logs for suspicious activity during the window when malicious releases were available on PyPI"],"sources":[{"url":"https://www.stepsecurity.io/blog/teampcp-plants-wav-steganography-credential-stealer-in-telnyx-pypi-package","title":"TeamPCP Plants WAV Steganography Credential Stealer in telnyx PyPI Package","publisher":"StepSecurity"}]},{"id":"litellm-credential-stealer-hidden-in-pypi-wheel-ythjti","url":"https://supplychainattack.org/incident/litellm-credential-stealer-hidden-in-pypi-wheel-ythjti","title":"litellm: Credential Stealer Hidden in PyPI Wheel","status":"contained","severity":"critical","ecosystems":["pypi"],"attackVectors":["compromised-package"],"disclosedDate":"2026-03-24","lastUpdated":"2026-06-07","blastRadius":"Python applications using litellm==1.82.8, affecting any system executing the package initialization","affectedEntities":[{"name":"litellm","versions":["1.82.8"]}],"summary":"A critical supply chain compromise in litellm==1.82.8 on PyPI was identified on March 24, 2026. The malicious PyPI wheel contains a credential stealer hidden in a litellm_init.pth file that executes during package initialization.","iocs":{"packages":["litellm==1.82.8"]},"remediation":["Immediately uninstall litellm==1.82.8 from all affected systems","Upgrade to a patched version of litellm released after March 24, 2026","Audit and rotate any credentials that may have been exposed on systems that ran the compromised version","Review application logs and credential access logs for suspicious activity during the window the vulnerable package was installed","Implement package pinning and verification in dependency management to prevent installation of compromised versions"],"sources":[{"url":"https://www.stepsecurity.io/blog/litellm-credential-stealer-hidden-in-pypi-wheel","title":"litellm: Credential Stealer Hidden in PyPI Wheel","publisher":"StepSecurity"}]},{"id":"kics-github-action-compromised-teampcp-strikes-again-in-supply-chain-attack-1jcbe8","url":"https://supplychainattack.org/incident/kics-github-action-compromised-teampcp-strikes-again-in-supply-chain-attack-1jcbe8","title":"KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack","status":"contained","severity":"high","ecosystems":["other"],"attackVectors":["account-takeover"],"disclosedDate":"2026-03-23","lastUpdated":"2026-06-07","blastRadius":"GitHub Actions users relying on the KICS GitHub Action during the compromise window (12:58–16:50 UTC on March 23, 2026).","affectedEntities":[{"name":"KICS GitHub Action","note":"35 tags hijacked during the compromise window"}],"summary":"The KICS GitHub Action maintained by Checkmarx was compromised by the TeamPCP threat actor on March 23, 2026, with 35 tags hijacked between 12:58–16:50 UTC. The attack was credential-stealing in nature, targeting users of the GitHub Action in their CI/CD workflows.","iocs":{"packages":["KICS GitHub Action"]},"remediation":["Audit GitHub Actions workflows for execution of the KICS GitHub Action between 12:58–16:50 UTC on March 23, 2026","Review GitHub Actions logs and audit trails for suspicious activity or credential access during the compromise window","Rotate any secrets, tokens, or credentials that may have been exposed to the compromised KICS GitHub Action","Update the KICS GitHub Action to a patched version released after the compromise was discovered","Implement GitHub Actions security best practices including pinning action versions to specific commit SHAs rather than tags","Consider using GitHub's OIDC token provider instead of long-lived credentials in CI/CD workflows"],"sources":[{"url":"https://www.wiz.io/blog/teampcp-attack-kics-github-action","title":"KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack","publisher":"Wiz"}]},{"id":"trivy-compromised-everything-you-need-to-know-about-the-latest-supply-chain-atta-103yjm","url":"https://supplychainattack.org/incident/trivy-compromised-everything-you-need-to-know-about-the-latest-supply-chain-atta-103yjm","title":"Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack","status":"contained","severity":"critical","ecosystems":["container-registry","other"],"attackVectors":["compromised-package","malicious-commit"],"disclosedDate":"2026-03-19","lastUpdated":"2026-06-07","blastRadius":"Trivy scanner users and GitHub Actions workflows; potential exposure of credentials and secrets in CI/CD pipelines","affectedEntities":[{"name":"Trivy","note":"Aqua Security's container vulnerability scanner"},{"name":"Trivy GitHub Actions","note":"Related GitHub Actions for Trivy"}],"summary":"On March 19, 2026, threat actors attributed to \"TeamPCP\" injected credential-stealing malware into Aqua Security's Trivy scanner and related GitHub Actions. The compromise affected the supply chain of a widely-used container security tool, potentially exposing credentials and secrets in CI/CD environments.","iocs":null,"remediation":["Immediately audit CI/CD logs and environment variables for credential exposure","Rotate all credentials and secrets that may have been exposed through Trivy execution","Update Trivy to a patched version confirmed to be free of malware","Review GitHub Actions workflows using Trivy and verify their integrity","Implement additional credential scanning and secret management controls in CI/CD pipelines","Monitor for unauthorized access using credentials that may have been compromised"],"sources":[{"url":"https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack","title":"Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack","publisher":"Wiz"}]},{"id":"bittensor-wallet-4-0-2-compromised-on-pypi-backdoor-exfiltrates-private-keys-2b196w","url":"https://supplychainattack.org/incident/bittensor-wallet-4-0-2-compromised-on-pypi-backdoor-exfiltrates-private-keys-2b196w","title":"bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys","status":"contained","severity":"critical","ecosystems":["pypi"],"attackVectors":["compromised-package"],"disclosedDate":"2026-03-17","lastUpdated":"2026-06-07","blastRadius":"Unknown—depends on installation count during 48-hour availability window","affectedEntities":[{"name":"bittensor-wallet","versions":["4.0.2"]}],"summary":"bittensor-wallet 4.0.2 was published to PyPI on March 17, 2026 with a backdoor that exfiltrates private keys. The compromised package remained available for approximately 48 hours before being yanked from the repository.","iocs":{"packages":["bittensor-wallet==4.0.2"]},"remediation":["Immediately remove bittensor-wallet 4.0.2 from all systems and downgrade to version 4.0.1 or earlier","Rotate any private keys or credentials that may have been present on systems running the compromised version","Audit logs for C2 communication or suspicious network activity associated with the backdoor","Verify that PyPI or your artifact repository is configured to prevent installation of yanked packages","Review installation logs to identify any systems that may have downloaded the compromised package during the 48-hour exposure window"],"sources":[{"url":"https://www.stepsecurity.io/blog/bittensor-wallet-4-0-2-compromised-on-pypi---backdoor-exfiltrates-private-keys","title":"bittensor-wallet 4.0.2 Compromised on PyPI - Backdoor Exfiltrates Private Keys","publisher":"StepSecurity"}]},{"id":"malicious-npm-releases-found-in-popular-react-native-packages-130k-monthly-downl-54qovl","url":"https://supplychainattack.org/incident/malicious-npm-releases-found-in-popular-react-native-packages-130k-monthly-downl-54qovl","title":"Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised","status":"contained","severity":"high","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-03-16","lastUpdated":"2026-06-07","blastRadius":"Popular React Native packages with 130K+ monthly downloads combined; widespread reach across React Native development community","affectedEntities":[{"name":"react-native-international-phone-number","note":"npm package with 130K+ monthly downloads (combined with react-native-country-select)"},{"name":"react-native-country-select","note":"npm package with 130K+ monthly downloads (combined with react-native-international-phone-number)"}],"summary":"Malicious releases were discovered in two popular React Native npm packages—react-native-international-phone-number and react-native-country-select—affecting packages with 130K+ monthly downloads combined. StepSecurity detected and reported the compromise on March 16, 2026, and immediately notified maintainers and the community.","iocs":{"packages":["react-native-international-phone-number","react-native-country-select"]},"remediation":["Identify and audit all installations of react-native-international-phone-number and react-native-country-select in your projects","Update to patched versions of both packages as released by maintainers","Review logs and runtime behavior during the window when malicious versions may have been installed","Re-evaluate your npm package supply chain security processes and consider automated detection tools","Monitor npm for any further suspicious releases from these or related packages"],"sources":[{"url":"https://www.stepsecurity.io/blog/malicious-npm-releases-found-in-popular-react-native-packages---130k-monthly-downloads-compromised","title":"Malicious npm Releases Found in Popular React Native Packages - 130K+ Monthly Downloads Compromised","publisher":"StepSecurity"}]},{"id":"xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning-xeslq4","url":"https://supplychainattack.org/incident/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning-xeslq4","title":"xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning","status":"contained","severity":"critical","ecosystems":["other"],"attackVectors":["account-takeover","malicious-commit"],"disclosedDate":"2026-03-03","lastUpdated":"2026-06-07","blastRadius":"All repositories using @v5 tag of xygeni-action GitHub Action without pinned versions","affectedEntities":[{"name":"xygeni-action","note":"Official GitHub Action for Xygeni supply chain security tool","versions":["v5 (poisoned)"]}],"summary":"The official Xygeni GitHub Action (xygeni-action) was compromised on March 3, 2026, via stolen maintainer credentials. An attacker injected a C2 reverse shell backdoor and moved the mutable v5 tag to the malicious commit, silently affecting all workflows referencing @v5. The v5 tag remained poisoned as of March 9, 2026.","iocs":{"ips":["91.214.78.178"],"packages":["xygeni-action"]},"remediation":["Immediately pin xygeni-action to a specific version (v6.4.0 or later) or commit SHA instead of using mutable @v5 tag","Rotate any credentials or secrets that may have been exposed in CI/CD environments during the compromise window (March 3-9, 2026)","Audit workflow runs between March 3-9 for unexpected outbound network connections or suspicious activity","Implement runtime monitoring and network egress controls to detect and block unauthorized C2 callbacks in CI/CD pipelines","Review access logs for the xygeni-action repository to identify potential credential compromise"],"sources":[{"url":"https://www.stepsecurity.io/blog/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning","title":"xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning","publisher":"StepSecurity"}]},{"id":"malware-in-reactvora-1oyc9u","url":"https://supplychainattack.org/incident/malware-in-reactvora-1oyc9u","title":"Malware in reactvora","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-05","lastUpdated":"2026-06-06","blastRadius":"npm package(s): reactvora","affectedEntities":[{"name":"reactvora"}],"summary":"Malware in reactvora Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside ","iocs":{"packages":["reactvora"]},"remediation":["Remove reactvora from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-x4gw-cjrp-c89f","title":"GitHub Advisory GHSA-x4gw-cjrp-c89f","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-utils-mf-1lnjlj","url":"https://supplychainattack.org/incident/malware-in-utils-mf-1lnjlj","title":"Malware in utils-mf","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-05","lastUpdated":"2026-06-06","blastRadius":"npm package(s): utils-mf, utils-mf, utils-mf","affectedEntities":[{"name":"utils-mf"},{"name":"utils-mf"},{"name":"utils-mf"},{"name":"utils-mf"},{"name":"utils-mf"},{"name":"utils-mf"}],"summary":"Malware in utils-mf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside e","iocs":{"packages":["utils-mf","utils-mf","utils-mf","utils-mf","utils-mf","utils-mf"]},"remediation":["Remove utils-mf from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-4c54-hwv9-c5xm","title":"GitHub Advisory GHSA-4c54-hwv9-c5xm","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-react-ui-polyfills-1o7dcb","url":"https://supplychainattack.org/incident/malware-in-react-ui-polyfills-1o7dcb","title":"Malware in react-ui-polyfills","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-05","lastUpdated":"2026-06-06","blastRadius":"npm package(s): react-ui-polyfills","affectedEntities":[{"name":"react-ui-polyfills"}],"summary":"Malware in react-ui-polyfills Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an","iocs":{"packages":["react-ui-polyfills"]},"remediation":["Remove react-ui-polyfills from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-v7mj-pmr3-7x4p","title":"GitHub Advisory GHSA-v7mj-pmr3-7x4p","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-glyphr-1slr04","url":"https://supplychainattack.org/incident/malware-in-glyphr-1slr04","title":"Malware in glyphr","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-05","lastUpdated":"2026-06-06","blastRadius":"npm package(s): glyphr","affectedEntities":[{"name":"glyphr"}],"summary":"Malware in glyphr Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside ent","iocs":{"packages":["glyphr"]},"remediation":["Remove glyphr from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-c988-j68q-h8h4","title":"GitHub Advisory GHSA-c988-j68q-h8h4","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-ulid-os-1krf9e","url":"https://supplychainattack.org/incident/malware-in-ulid-os-1krf9e","title":"Malware in ulid-os","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-05","lastUpdated":"2026-06-06","blastRadius":"npm package(s): ulid-os","affectedEntities":[{"name":"ulid-os"}],"summary":"Malware in ulid-os Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside en","iocs":{"packages":["ulid-os"]},"remediation":["Remove ulid-os from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-fxhm-35h8-7jc7","title":"GitHub Advisory GHSA-fxhm-35h8-7jc7","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-autotel-terminal-1ouq6l","url":"https://supplychainattack.org/incident/malware-in-autotel-terminal-1ouq6l","title":"Malware in autotel-terminal","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-04","lastUpdated":"2026-06-06","blastRadius":"npm package(s): autotel-terminal","affectedEntities":[{"name":"autotel-terminal"}],"summary":"Malware in autotel-terminal Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an o","iocs":{"packages":["autotel-terminal"]},"remediation":["Remove autotel-terminal from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-cw9v-v9rh-r449","title":"GitHub Advisory GHSA-cw9v-v9rh-r449","publisher":"GitHub Advisory Database"}]},{"id":"withdrawn-advisory-malware-in-supabase-ec823h","url":"https://supplychainattack.org/incident/withdrawn-advisory-malware-in-supabase-ec823h","title":"Withdrawn Advisory: Malware in supabase","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-04","lastUpdated":"2026-06-06","blastRadius":"npm package(s): supabase","affectedEntities":[{"name":"supabase"}],"summary":"Withdrawn Advisory: Malware in supabase ### Withdrawn Advisory This advisory has been withdrawn because the malware detection was a false positive. This link is maintained to preserve external references. ### Original Description Any computer that has this package installed or running should be considered fully comprom","iocs":{"packages":["supabase"]},"remediation":["Remove supabase from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-x96m-c5fj-q75c","title":"GitHub Advisory GHSA-x96m-c5fj-q75c","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-jagreehal-workflow-g838pk","url":"https://supplychainattack.org/incident/malware-in-jagreehal-workflow-g838pk","title":"Malware in @jagreehal/workflow","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-04","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @jagreehal/workflow","affectedEntities":[{"name":"@jagreehal/workflow"}],"summary":"Malware in @jagreehal/workflow Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to a","iocs":{"packages":["@jagreehal/workflow"]},"remediation":["Remove @jagreehal/workflow from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-6w7v-23mf-65g3","title":"GitHub Advisory GHSA-6w7v-23mf-65g3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-webpack-json-ii7r1s","url":"https://supplychainattack.org/incident/malware-in-webpack-json-ii7r1s","title":"Malware in webpack-json","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-03","lastUpdated":"2026-06-06","blastRadius":"npm package(s): webpack-json","affectedEntities":[{"name":"webpack-json"}],"summary":"Malware in webpack-json Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outsi","iocs":{"packages":["webpack-json"]},"remediation":["Remove webpack-json from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-69hx-wrc9-h5wq","title":"GitHub Advisory GHSA-69hx-wrc9-h5wq","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-nodemon-pack-16h4jr","url":"https://supplychainattack.org/incident/malware-in-nodemon-pack-16h4jr","title":"Malware in nodemon-pack","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-03","lastUpdated":"2026-06-06","blastRadius":"npm package(s): nodemon-pack","affectedEntities":[{"name":"nodemon-pack"}],"summary":"Malware in nodemon-pack Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outsi","iocs":{"packages":["nodemon-pack"]},"remediation":["Remove nodemon-pack from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-pqxq-jw84-3x8f","title":"GitHub Advisory GHSA-pqxq-jw84-3x8f","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-chai-midpatch-fsdz1h","url":"https://supplychainattack.org/incident/malware-in-chai-midpatch-fsdz1h","title":"Malware in chai-midpatch","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-03","lastUpdated":"2026-06-06","blastRadius":"npm package(s): chai-midpatch","affectedEntities":[{"name":"chai-midpatch"}],"summary":"Malware in chai-midpatch Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outs","iocs":{"packages":["chai-midpatch"]},"remediation":["Remove chai-midpatch from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-qq87-jvv3-6c7r","title":"GitHub Advisory GHSA-qq87-jvv3-6c7r","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-nodemon-webpatch-13328g","url":"https://supplychainattack.org/incident/malware-in-nodemon-webpatch-13328g","title":"Malware in nodemon-webpatch","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-03","lastUpdated":"2026-06-06","blastRadius":"npm package(s): nodemon-webpatch","affectedEntities":[{"name":"nodemon-webpatch"}],"summary":"Malware in nodemon-webpatch Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an o","iocs":{"packages":["nodemon-webpatch"]},"remediation":["Remove nodemon-webpatch from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-q398-93fh-ghmj","title":"GitHub Advisory GHSA-q398-93fh-ghmj","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-chai-parse-1dv20d","url":"https://supplychainattack.org/incident/malware-in-chai-parse-1dv20d","title":"Malware in chai-parse","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-02","lastUpdated":"2026-06-06","blastRadius":"npm package(s): chai-parse","affectedEntities":[{"name":"chai-parse"}],"summary":"Malware in chai-parse Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside","iocs":{"packages":["chai-parse"]},"remediation":["Remove chai-parse from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-f528-hm3f-2jx6","title":"GitHub Advisory GHSA-f528-hm3f-2jx6","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-hcc-feo-mcp-10kacb","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-hcc-feo-mcp-10kacb","title":"Malware in @redhat-cloud-services/hcc-feo-mcp","status":"active","severity":"critical","ecosystems":["npm","ai-agents"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/hcc-feo-mcp, @redhat-cloud-services/hcc-feo-mcp","affectedEntities":[{"name":"@redhat-cloud-services/hcc-feo-mcp"},{"name":"@redhat-cloud-services/hcc-feo-mcp"}],"summary":"Malware in @redhat-cloud-services/hcc-feo-mcp Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@redhat-cloud-services/hcc-feo-mcp","@redhat-cloud-services/hcc-feo-mcp"]},"remediation":["Remove @redhat-cloud-services/hcc-feo-mcp from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-vgm5-jmvr-cjgf","title":"GitHub Advisory GHSA-vgm5-jmvr-cjgf","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-tmecontinue-claude-qlbbh4","url":"https://supplychainattack.org/incident/malware-in-tmecontinue-claude-qlbbh4","title":"Malware in @tmecontinue/claude","status":"active","severity":"critical","ecosystems":["npm","ai-agents"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @tmecontinue/claude","affectedEntities":[{"name":"@tmecontinue/claude"}],"summary":"Malware in @tmecontinue/claude Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to a","iocs":{"packages":["@tmecontinue/claude"]},"remediation":["Remove @tmecontinue/claude from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-j689-8wf2-2rj9","title":"GitHub Advisory GHSA-j689-8wf2-2rj9","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cms-storehub-03z2zh","url":"https://supplychainattack.org/incident/malware-in-cms-storehub-03z2zh","title":"Malware in cms-storehub","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): cms-storehub","affectedEntities":[{"name":"cms-storehub"}],"summary":"Malware in cms-storehub Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outsi","iocs":{"packages":["cms-storehub"]},"remediation":["Remove cms-storehub from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-gvmr-7vwj-2mmf","title":"GitHub Advisory GHSA-gvmr-7vwj-2mmf","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cms-github-106jda","url":"https://supplychainattack.org/incident/malware-in-cms-github-106jda","title":"Malware in cms-github","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): cms-github","affectedEntities":[{"name":"cms-github"}],"summary":"Malware in cms-github Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside","iocs":{"packages":["cms-github"]},"remediation":["Remove cms-github from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-3r39-h7xh-jg85","title":"GitHub Advisory GHSA-3r39-h7xh-jg85","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-collected-forms-embed-js-z9vz46","url":"https://supplychainattack.org/incident/malware-in-collected-forms-embed-js-z9vz46","title":"Malware in collected-forms-embed-js","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): collected-forms-embed-js","affectedEntities":[{"name":"collected-forms-embed-js"}],"summary":"Malware in collected-forms-embed-js Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given","iocs":{"packages":["collected-forms-embed-js"]},"remediation":["Remove collected-forms-embed-js from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-9j37-8wjm-pcxq","title":"GitHub Advisory GHSA-9j37-8wjm-pcxq","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-audit-logsss-05tc3w","url":"https://supplychainattack.org/incident/malware-in-audit-logsss-05tc3w","title":"Malware in audit-logsss","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): audit-logsss","affectedEntities":[{"name":"audit-logsss"}],"summary":"Malware in audit-logsss Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outsi","iocs":{"packages":["audit-logsss"]},"remediation":["Remove audit-logsss from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-gcq4-52q3-v4fm","title":"GitHub Advisory GHSA-gcq4-52q3-v4fm","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-ewfewfewf-testhackerrr-1vtlzj","url":"https://supplychainattack.org/incident/malware-in-ewfewfewf-testhackerrr-1vtlzj","title":"Malware in @ewfewfewf/testhackerrr","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @ewfewfewf/testhackerrr","affectedEntities":[{"name":"@ewfewfewf/testhackerrr"}],"summary":"Malware in @ewfewfewf/testhackerrr Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given ","iocs":{"packages":["@ewfewfewf/testhackerrr"]},"remediation":["Remove @ewfewfewf/testhackerrr from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-p4gj-2hmg-hj4f","title":"GitHub Advisory GHSA-p4gj-2hmg-hj4f","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-osamdefeirrighs-testhackfrrferrr-xw54xq","url":"https://supplychainattack.org/incident/malware-in-osamdefeirrighs-testhackfrrferrr-xw54xq","title":"Malware in @osamdefeirrighs/testhackfrrferrr","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @osamdefeirrighs/testhackfrrferrr","affectedEntities":[{"name":"@osamdefeirrighs/testhackfrrferrr"}],"summary":"Malware in @osamdefeirrighs/testhackfrrferrr Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have b","iocs":{"packages":["@osamdefeirrighs/testhackfrrferrr"]},"remediation":["Remove @osamdefeirrighs/testhackfrrferrr from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-rrrc-gchv-j329","title":"GitHub Advisory GHSA-rrrc-gchv-j329","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-pcldpvkoewpogw-testhacker-1ufmzn","url":"https://supplychainattack.org/incident/malware-in-pcldpvkoewpogw-testhacker-1ufmzn","title":"Malware in @pcldpvkoewpogw/testhacker","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @pcldpvkoewpogw/testhacker","affectedEntities":[{"name":"@pcldpvkoewpogw/testhacker"}],"summary":"Malware in @pcldpvkoewpogw/testhacker Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been giv","iocs":{"packages":["@pcldpvkoewpogw/testhacker"]},"remediation":["Remove @pcldpvkoewpogw/testhacker from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-xjcm-hjvm-fmhp","title":"GitHub Advisory GHSA-xjcm-hjvm-fmhp","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-jingmeideshishi-klizxa","url":"https://supplychainattack.org/incident/malware-in-jingmeideshishi-klizxa","title":"Malware in jingmeideshishi","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): jingmeideshishi","affectedEntities":[{"name":"jingmeideshishi"}],"summary":"Malware in jingmeideshishi Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an ou","iocs":{"packages":["jingmeideshishi"]},"remediation":["Remove jingmeideshishi from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-pc3j-w4f9-94hj","title":"GitHub Advisory GHSA-pc3j-w4f9-94hj","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-eslint-config-redhat-cloud-services-1cducd","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-eslint-config-redhat-cloud-services-1cducd","title":"Malware in @redhat-cloud-services/eslint-config-redhat-cloud-services","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/eslint-config-redhat-cloud-services","affectedEntities":[{"name":"@redhat-cloud-services/eslint-config-redhat-cloud-services"}],"summary":"Malware in @redhat-cloud-services/eslint-config-redhat-cloud-services Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control o","iocs":{"packages":["@redhat-cloud-services/eslint-config-redhat-cloud-services"]},"remediation":["Remove @redhat-cloud-services/eslint-config-redhat-cloud-services from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-c3mv-fjj4-2542","title":"GitHub Advisory GHSA-c3mv-fjj4-2542","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-rule-components-p7ephh","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-rule-components-p7ephh","title":"Malware in @redhat-cloud-services/rule-components","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/rule-components","affectedEntities":[{"name":"@redhat-cloud-services/rule-components"}],"summary":"Malware in @redhat-cloud-services/rule-components Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may h","iocs":{"packages":["@redhat-cloud-services/rule-components"]},"remediation":["Remove @redhat-cloud-services/rule-components from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-c4gm-6fh3-76v9","title":"GitHub Advisory GHSA-c4gm-6fh3-76v9","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-quickstarts-client-1kio97","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-quickstarts-client-1kio97","title":"Malware in @redhat-cloud-services/quickstarts-client","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/quickstarts-client","affectedEntities":[{"name":"@redhat-cloud-services/quickstarts-client"}],"summary":"Malware in @redhat-cloud-services/quickstarts-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer ma","iocs":{"packages":["@redhat-cloud-services/quickstarts-client"]},"remediation":["Remove @redhat-cloud-services/quickstarts-client from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-mj98-cgm5-6xrr","title":"GitHub Advisory GHSA-mj98-cgm5-6xrr","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-topological-inventory-client-1y04h9","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-topological-inventory-client-1y04h9","title":"Malware in @redhat-cloud-services/topological-inventory-client","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/topological-inventory-client, @redhat-cloud-services/topological-inventory-client, @redhat-cloud-services/topological-inventory-client","affectedEntities":[{"name":"@redhat-cloud-services/topological-inventory-client"},{"name":"@redhat-cloud-services/topological-inventory-client"},{"name":"@redhat-cloud-services/topological-inventory-client"}],"summary":"Malware in @redhat-cloud-services/topological-inventory-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the c","iocs":{"packages":["@redhat-cloud-services/topological-inventory-client","@redhat-cloud-services/topological-inventory-client","@redhat-cloud-services/topological-inventory-client"]},"remediation":["Remove @redhat-cloud-services/topological-inventory-client from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-9wp8-557p-2hvf","title":"GitHub Advisory GHSA-9wp8-557p-2hvf","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-chrome-1h11zt","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-chrome-1h11zt","title":"Malware in @redhat-cloud-services/chrome","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/chrome, @redhat-cloud-services/chrome, @redhat-cloud-services/chrome","affectedEntities":[{"name":"@redhat-cloud-services/chrome"},{"name":"@redhat-cloud-services/chrome"},{"name":"@redhat-cloud-services/chrome"}],"summary":"Malware in @redhat-cloud-services/chrome Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been ","iocs":{"packages":["@redhat-cloud-services/chrome","@redhat-cloud-services/chrome","@redhat-cloud-services/chrome"]},"remediation":["Remove @redhat-cloud-services/chrome from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-942v-f47r-w9c3","title":"GitHub Advisory GHSA-942v-f47r-w9c3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-rbac-client-nbq8oo","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-rbac-client-nbq8oo","title":"Malware in @redhat-cloud-services/rbac-client","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/rbac-client, @redhat-cloud-services/rbac-client, @redhat-cloud-services/rbac-client","affectedEntities":[{"name":"@redhat-cloud-services/rbac-client"},{"name":"@redhat-cloud-services/rbac-client"},{"name":"@redhat-cloud-services/rbac-client"}],"summary":"Malware in @redhat-cloud-services/rbac-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@redhat-cloud-services/rbac-client","@redhat-cloud-services/rbac-client","@redhat-cloud-services/rbac-client"]},"remediation":["Remove @redhat-cloud-services/rbac-client from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-2p99-xvqh-j893","title":"GitHub Advisory GHSA-2p99-xvqh-j893","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-types-1gning","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-types-1gning","title":"Malware in @redhat-cloud-services/types","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/types","affectedEntities":[{"name":"@redhat-cloud-services/types"}],"summary":"Malware in @redhat-cloud-services/types Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been g","iocs":{"packages":["@redhat-cloud-services/types"]},"remediation":["Remove @redhat-cloud-services/types from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-8xj2-9c64-m64h","title":"GitHub Advisory GHSA-8xj2-9c64-m64h","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-frontend-components-config-utilities-g70yte","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-frontend-components-config-utilities-g70yte","title":"Malware in @redhat-cloud-services/frontend-components-config-utilities","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/frontend-components-config-utilities, @redhat-cloud-services/frontend-components-config-utilities, @redhat-cloud-services/frontend-components-config-utilities","affectedEntities":[{"name":"@redhat-cloud-services/frontend-components-config-utilities"},{"name":"@redhat-cloud-services/frontend-components-config-utilities"},{"name":"@redhat-cloud-services/frontend-components-config-utilities"}],"summary":"Malware in @redhat-cloud-services/frontend-components-config-utilities Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control ","iocs":{"packages":["@redhat-cloud-services/frontend-components-config-utilities","@redhat-cloud-services/frontend-components-config-utilities","@redhat-cloud-services/frontend-components-config-utilities"]},"remediation":["Remove @redhat-cloud-services/frontend-components-config-utilities from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-cxfw-p322-rfrv","title":"GitHub Advisory GHSA-cxfw-p322-rfrv","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-antoncallahan-aws-user-helper-1mupx7","url":"https://supplychainattack.org/incident/malware-in-antoncallahan-aws-user-helper-1mupx7","title":"Malware in @antoncallahan/aws-user-helper","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @antoncallahan/aws-user-helper","affectedEntities":[{"name":"@antoncallahan/aws-user-helper"}],"summary":"Malware in @antoncallahan/aws-user-helper Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been","iocs":{"packages":["@antoncallahan/aws-user-helper"]},"remediation":["Remove @antoncallahan/aws-user-helper from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-v2cq-j5gf-pf5g","title":"GitHub Advisory GHSA-v2cq-j5gf-pf5g","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-frontend-components-16ovzb","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-frontend-components-16ovzb","title":"Malware in @redhat-cloud-services/frontend-components","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/frontend-components","affectedEntities":[{"name":"@redhat-cloud-services/frontend-components"}],"summary":"Malware in @redhat-cloud-services/frontend-components Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m","iocs":{"packages":["@redhat-cloud-services/frontend-components"]},"remediation":["Remove @redhat-cloud-services/frontend-components from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-mrgj-mcjh-5mf2","title":"GitHub Advisory GHSA-mrgj-mcjh-5mf2","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-loading-session-g4hca9","url":"https://supplychainattack.org/incident/malware-in-loading-session-g4hca9","title":"Malware in loading-session","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): loading-session","affectedEntities":[{"name":"loading-session"}],"summary":"Malware in loading-session Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an ou","iocs":{"packages":["loading-session"]},"remediation":["Remove loading-session from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-7vwr-8v2c-gjvr","title":"GitHub Advisory GHSA-7vwr-8v2c-gjvr","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-motion-tool-8qnuah","url":"https://supplychainattack.org/incident/malware-in-motion-tool-8qnuah","title":"Malware in motion-tool","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): motion-tool","affectedEntities":[{"name":"motion-tool"}],"summary":"Malware in motion-tool Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outsid","iocs":{"packages":["motion-tool"]},"remediation":["Remove motion-tool from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-hw79-5457-g9c3","title":"GitHub Advisory GHSA-hw79-5457-g9c3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-nemo-reporter-1qenpw","url":"https://supplychainattack.org/incident/malware-in-nemo-reporter-1qenpw","title":"Malware in nemo-reporter","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): nemo-reporter","affectedEntities":[{"name":"nemo-reporter"}],"summary":"Malware in nemo-reporter Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outs","iocs":{"packages":["nemo-reporter"]},"remediation":["Remove nemo-reporter from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-358g-x45v-57vw","title":"GitHub Advisory GHSA-358g-x45v-57vw","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-peertube-plugin-google-analytics-js-snmd22","url":"https://supplychainattack.org/incident/malware-in-peertube-plugin-google-analytics-js-snmd22","title":"Malware in peertube-plugin-google-analytics-js","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): peertube-plugin-google-analytics-js","affectedEntities":[{"name":"peertube-plugin-google-analytics-js"}],"summary":"Malware in peertube-plugin-google-analytics-js Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have","iocs":{"packages":["peertube-plugin-google-analytics-js"]},"remediation":["Remove peertube-plugin-google-analytics-js from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-4r2m-9mxx-rf7q","title":"GitHub Advisory GHSA-4r2m-9mxx-rf7q","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-randomlogs-ruok89","url":"https://supplychainattack.org/incident/malware-in-randomlogs-ruok89","title":"Malware in randomlogs","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): randomlogs","affectedEntities":[{"name":"randomlogs"}],"summary":"Malware in randomlogs Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside","iocs":{"packages":["randomlogs"]},"remediation":["Remove randomlogs from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-6x8j-5cx8-5qv6","title":"GitHub Advisory GHSA-6x8j-5cx8-5qv6","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-entitlements-client-11yot8","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-entitlements-client-11yot8","title":"Malware in @redhat-cloud-services/entitlements-client","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/entitlements-client, @redhat-cloud-services/entitlements-client","affectedEntities":[{"name":"@redhat-cloud-services/entitlements-client"},{"name":"@redhat-cloud-services/entitlements-client"}],"summary":"Malware in @redhat-cloud-services/entitlements-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m","iocs":{"packages":["@redhat-cloud-services/entitlements-client","@redhat-cloud-services/entitlements-client"]},"remediation":["Remove @redhat-cloud-services/entitlements-client from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-28hc-2275-h287","title":"GitHub Advisory GHSA-28hc-2275-h287","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-frontend-components-config-1i8217","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-frontend-components-config-1i8217","title":"Malware in @redhat-cloud-services/frontend-components-config","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/frontend-components-config, @redhat-cloud-services/frontend-components-config","affectedEntities":[{"name":"@redhat-cloud-services/frontend-components-config"},{"name":"@redhat-cloud-services/frontend-components-config"}],"summary":"Malware in @redhat-cloud-services/frontend-components-config Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the com","iocs":{"packages":["@redhat-cloud-services/frontend-components-config","@redhat-cloud-services/frontend-components-config"]},"remediation":["Remove @redhat-cloud-services/frontend-components-config from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-h43w-g623-gfmv","title":"GitHub Advisory GHSA-h43w-g623-gfmv","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-frontend-components-remediations-avmnd3","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-frontend-components-remediations-avmnd3","title":"Malware in @redhat-cloud-services/frontend-components-remediations","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/frontend-components-remediations, @redhat-cloud-services/frontend-components-remediations","affectedEntities":[{"name":"@redhat-cloud-services/frontend-components-remediations"},{"name":"@redhat-cloud-services/frontend-components-remediations"}],"summary":"Malware in @redhat-cloud-services/frontend-components-remediations Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of t","iocs":{"packages":["@redhat-cloud-services/frontend-components-remediations","@redhat-cloud-services/frontend-components-remediations"]},"remediation":["Remove @redhat-cloud-services/frontend-components-remediations from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-4rjr-7qhx-vjwg","title":"GitHub Advisory GHSA-4rjr-7qhx-vjwg","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-frontend-components-testing-bs5zqm","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-frontend-components-testing-bs5zqm","title":"Malware in @redhat-cloud-services/frontend-components-testing","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/frontend-components-testing","affectedEntities":[{"name":"@redhat-cloud-services/frontend-components-testing"}],"summary":"Malware in @redhat-cloud-services/frontend-components-testing Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the co","iocs":{"packages":["@redhat-cloud-services/frontend-components-testing"]},"remediation":["Remove @redhat-cloud-services/frontend-components-testing from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-wgvx-w8g7-vh4h","title":"GitHub Advisory GHSA-wgvx-w8g7-vh4h","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-integrations-client-113o2o","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-integrations-client-113o2o","title":"Malware in @redhat-cloud-services/integrations-client","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/integrations-client, @redhat-cloud-services/integrations-client","affectedEntities":[{"name":"@redhat-cloud-services/integrations-client"},{"name":"@redhat-cloud-services/integrations-client"}],"summary":"Malware in @redhat-cloud-services/integrations-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m","iocs":{"packages":["@redhat-cloud-services/integrations-client","@redhat-cloud-services/integrations-client"]},"remediation":["Remove @redhat-cloud-services/integrations-client from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-8x4g-q845-wpfc","title":"GitHub Advisory GHSA-8x4g-q845-wpfc","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-chat-template-auth-1hclo2","url":"https://supplychainattack.org/incident/malware-in-chat-template-auth-1hclo2","title":"Malware in @chat-template/auth","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @chat-template/auth","affectedEntities":[{"name":"@chat-template/auth"}],"summary":"Malware in @chat-template/auth Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to a","iocs":{"packages":["@chat-template/auth"]},"remediation":["Remove @chat-template/auth from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-5jx8-qv7v-hv32","title":"GitHub Advisory GHSA-5jx8-qv7v-hv32","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-redhat-cloud-services-sources-client-e49d3c","url":"https://supplychainattack.org/incident/malware-in-redhat-cloud-services-sources-client-e49d3c","title":"Malware in @redhat-cloud-services/sources-client","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @redhat-cloud-services/sources-client, @redhat-cloud-services/sources-client","affectedEntities":[{"name":"@redhat-cloud-services/sources-client"},{"name":"@redhat-cloud-services/sources-client"}],"summary":"Malware in @redhat-cloud-services/sources-client Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may ha","iocs":{"packages":["@redhat-cloud-services/sources-client","@redhat-cloud-services/sources-client"]},"remediation":["Remove @redhat-cloud-services/sources-client from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-vp9c-9mjm-2f7w","title":"GitHub Advisory GHSA-vp9c-9mjm-2f7w","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-json-to-simple-graphql-schema-cvzaqf","url":"https://supplychainattack.org/incident/malware-in-json-to-simple-graphql-schema-cvzaqf","title":"Malware in json-to-simple-graphql-schema","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): json-to-simple-graphql-schema","affectedEntities":[{"name":"json-to-simple-graphql-schema"}],"summary":"Malware in json-to-simple-graphql-schema Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been ","iocs":{"packages":["json-to-simple-graphql-schema"]},"remediation":["Remove json-to-simple-graphql-schema from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-2qqv-9mw5-52q2","title":"GitHub Advisory GHSA-2qqv-9mw5-52q2","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-xarc-webpack-cli-40qzrh","url":"https://supplychainattack.org/incident/malware-in-xarc-webpack-cli-40qzrh","title":"Malware in xarc-webpack-cli","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): xarc-webpack-cli","affectedEntities":[{"name":"xarc-webpack-cli"}],"summary":"Malware in xarc-webpack-cli Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an o","iocs":{"packages":["xarc-webpack-cli"]},"remediation":["Remove xarc-webpack-cli from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-2xcr-5qfc-fq54","title":"GitHub Advisory GHSA-2xcr-5qfc-fq54","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-to-cms-do8435","url":"https://supplychainattack.org/incident/malware-in-to-cms-do8435","title":"Malware in to-cms","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): to-cms","affectedEntities":[{"name":"to-cms"}],"summary":"Malware in to-cms Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside ent","iocs":{"packages":["to-cms"]},"remediation":["Remove to-cms from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-789x-j439-qx3f","title":"GitHub Advisory GHSA-789x-j439-qx3f","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-shopifyto-cms-1yczbv","url":"https://supplychainattack.org/incident/malware-in-shopifyto-cms-1yczbv","title":"Malware in shopifyto-cms","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): shopifyto-cms","affectedEntities":[{"name":"shopifyto-cms"}],"summary":"Malware in shopifyto-cms Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outs","iocs":{"packages":["shopifyto-cms"]},"remediation":["Remove shopifyto-cms from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-92q8-c63v-g77x","title":"GitHub Advisory GHSA-92q8-c63v-g77x","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-chainix-1b6p6v","url":"https://supplychainattack.org/incident/malware-in-chainix-1b6p6v","title":"Malware in chainix","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): chainix","affectedEntities":[{"name":"chainix"}],"summary":"Malware in chainix Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside en","iocs":{"packages":["chainix"]},"remediation":["Remove chainix from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-mrx8-p3w9-5cfm","title":"GitHub Advisory GHSA-mrx8-p3w9-5cfm","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-chai-as-minted-tuxymq","url":"https://supplychainattack.org/incident/malware-in-chai-as-minted-tuxymq","title":"Malware in chai-as-minted","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): chai-as-minted","affectedEntities":[{"name":"chai-as-minted"}],"summary":"Malware in chai-as-minted Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an out","iocs":{"packages":["chai-as-minted"]},"remediation":["Remove chai-as-minted from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-85px-g4cg-g2g3","title":"GitHub Advisory GHSA-85px-g4cg-g2g3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-tmecontinue-cli-zsvl8j","url":"https://supplychainattack.org/incident/malware-in-tmecontinue-cli-zsvl8j","title":"Malware in @tmecontinue/cli","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @tmecontinue/cli","affectedEntities":[{"name":"@tmecontinue/cli"}],"summary":"Malware in @tmecontinue/cli Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an o","iocs":{"packages":["@tmecontinue/cli"]},"remediation":["Remove @tmecontinue/cli from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-jq5f-g7j2-8f9g","title":"GitHub Advisory GHSA-jq5f-g7j2-8f9g","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cms-helpgit-918f2s","url":"https://supplychainattack.org/incident/malware-in-cms-helpgit-918f2s","title":"Malware in cms-helpgit","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-06-01","lastUpdated":"2026-06-06","blastRadius":"npm package(s): cms-helpgit","affectedEntities":[{"name":"cms-helpgit"}],"summary":"Malware in cms-helpgit Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outsid","iocs":{"packages":["cms-helpgit"]},"remediation":["Remove cms-helpgit from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-hjw8-jc8q-mvwj","title":"GitHub Advisory GHSA-hjw8-jc8q-mvwj","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-dataplatform-trino-15vhit","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-dataplatform-trino-15vhit","title":"Malware in @cloudplatform-single-spa/dataplatform-trino","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/dataplatform-trino","affectedEntities":[{"name":"@cloudplatform-single-spa/dataplatform-trino"}],"summary":"Malware in @cloudplatform-single-spa/dataplatform-trino Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer","iocs":{"packages":["@cloudplatform-single-spa/dataplatform-trino"]},"remediation":["Remove @cloudplatform-single-spa/dataplatform-trino from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-f5qc-x39h-934p","title":"GitHub Advisory GHSA-f5qc-x39h-934p","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-customerdigital-service-lib-1c5tbd","url":"https://supplychainattack.org/incident/malware-in-customerdigital-service-lib-1c5tbd","title":"Malware in customerdigital-service-lib","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): customerdigital-service-lib","affectedEntities":[{"name":"customerdigital-service-lib"}],"summary":"Malware in customerdigital-service-lib Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been gi","iocs":{"packages":["customerdigital-service-lib"]},"remediation":["Remove customerdigital-service-lib from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-9vx3-fc8v-7w96","title":"GitHub Advisory GHSA-9vx3-fc8v-7w96","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-logaas-1wdqgm","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-logaas-1wdqgm","title":"Malware in @cloudplatform-single-spa/logaas","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/logaas","affectedEntities":[{"name":"@cloudplatform-single-spa/logaas"}],"summary":"Malware in @cloudplatform-single-spa/logaas Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have be","iocs":{"packages":["@cloudplatform-single-spa/logaas"]},"remediation":["Remove @cloudplatform-single-spa/logaas from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-gpjw-27xh-6659","title":"GitHub Advisory GHSA-gpjw-27xh-6659","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-safe-local-storage-token-3hy8cm","url":"https://supplychainattack.org/incident/malware-in-t-in-one-safe-local-storage-token-3hy8cm","title":"Malware in @t-in-one/safe_local_storage_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/safe_local_storage_token","affectedEntities":[{"name":"@t-in-one/safe_local_storage_token"}],"summary":"Malware in @t-in-one/safe_local_storage_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@t-in-one/safe_local_storage_token"]},"remediation":["Remove @t-in-one/safe_local_storage_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-r2p6-3gmf-chx9","title":"GitHub Advisory GHSA-r2p6-3gmf-chx9","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-restore-application-hid-from-storage-vq1bts","url":"https://supplychainattack.org/incident/malware-in-t-in-one-restore-application-hid-from-storage-vq1bts","title":"Malware in @t-in-one/restore_application_hid_from_storage","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/restore_application_hid_from_storage","affectedEntities":[{"name":"@t-in-one/restore_application_hid_from_storage"}],"summary":"Malware in @t-in-one/restore_application_hid_from_storage Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the comput","iocs":{"packages":["@t-in-one/restore_application_hid_from_storage"]},"remediation":["Remove @t-in-one/restore_application_hid_from_storage from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-w9v9-8839-82rr","title":"GitHub Advisory GHSA-w9v9-8839-82rr","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-send-add-application-ckqk38","url":"https://supplychainattack.org/incident/malware-in-t-in-one-send-add-application-ckqk38","title":"Malware in @t-in-one/send_add_application","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/send_add_application","affectedEntities":[{"name":"@t-in-one/send_add_application"}],"summary":"Malware in @t-in-one/send_add_application Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been","iocs":{"packages":["@t-in-one/send_add_application"]},"remediation":["Remove @t-in-one/send_add_application from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-33cg-q6pj-vg3j","title":"GitHub Advisory GHSA-33cg-q6pj-vg3j","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-capibar-chat-ui-kit-1hhv1r","url":"https://supplychainattack.org/incident/malware-in-capibar-chat-ui-kit-1hhv1r","title":"Malware in @capibar.chat/ui-kit","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @capibar.chat/ui-kit","affectedEntities":[{"name":"@capibar.chat/ui-kit"}],"summary":"Malware in @capibar.chat/ui-kit Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to ","iocs":{"packages":["@capibar.chat/ui-kit"]},"remediation":["Remove @capibar.chat/ui-kit from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-rwm6-rvqv-qv7c","title":"GitHub Advisory GHSA-rwm6-rvqv-qv7c","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-prefill-transformers-data-token-1he913","url":"https://supplychainattack.org/incident/malware-in-t-in-one-prefill-transformers-data-token-1he913","title":"Malware in @t-in-one/prefill_transformers_data_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/prefill_transformers_data_token","affectedEntities":[{"name":"@t-in-one/prefill_transformers_data_token"}],"summary":"Malware in @t-in-one/prefill_transformers_data_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer ma","iocs":{"packages":["@t-in-one/prefill_transformers_data_token"]},"remediation":["Remove @t-in-one/prefill_transformers_data_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-7jj3-323f-22v4","title":"GitHub Advisory GHSA-7jj3-323f-22v4","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-sber-ecom-core-sberpay-widget-mee8lv","url":"https://supplychainattack.org/incident/malware-in-sber-ecom-core-sberpay-widget-mee8lv","title":"Malware in @sber-ecom-core/sberpay-widget","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @sber-ecom-core/sberpay-widget","affectedEntities":[{"name":"@sber-ecom-core/sberpay-widget"}],"summary":"Malware in @sber-ecom-core/sberpay-widget Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been","iocs":{"packages":["@sber-ecom-core/sberpay-widget"]},"remediation":["Remove @sber-ecom-core/sberpay-widget from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-6rfw-m3fj-7g8q","title":"GitHub Advisory GHSA-6rfw-m3fj-7g8q","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-prefill-credit-data-token-1pxgg5","url":"https://supplychainattack.org/incident/malware-in-t-in-one-prefill-credit-data-token-1pxgg5","title":"Malware in @t-in-one/prefill_credit_data_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/prefill_credit_data_token","affectedEntities":[{"name":"@t-in-one/prefill_credit_data_token"}],"summary":"Malware in @t-in-one/prefill_credit_data_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have","iocs":{"packages":["@t-in-one/prefill_credit_data_token"]},"remediation":["Remove @t-in-one/prefill_credit_data_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-38v2-g3qx-w6fr","title":"GitHub Advisory GHSA-38v2-g3qx-w6fr","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-only-difference-payload-d62rv8","url":"https://supplychainattack.org/incident/malware-in-t-in-one-only-difference-payload-d62rv8","title":"Malware in @t-in-one/only_difference_payload","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/only_difference_payload","affectedEntities":[{"name":"@t-in-one/only_difference_payload"}],"summary":"Malware in @t-in-one/only_difference_payload Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have b","iocs":{"packages":["@t-in-one/only_difference_payload"]},"remediation":["Remove @t-in-one/only_difference_payload from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-h594-x75p-ghjh","title":"GitHub Advisory GHSA-h594-x75p-ghjh","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-prefill-bundle-data-token-pi2w8t","url":"https://supplychainattack.org/incident/malware-in-t-in-one-prefill-bundle-data-token-pi2w8t","title":"Malware in @t-in-one/prefill_bundle_data_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/prefill_bundle_data_token","affectedEntities":[{"name":"@t-in-one/prefill_bundle_data_token"}],"summary":"Malware in @t-in-one/prefill_bundle_data_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have","iocs":{"packages":["@t-in-one/prefill_bundle_data_token"]},"remediation":["Remove @t-in-one/prefill_bundle_data_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-rm9j-3m66-35r4","title":"GitHub Advisory GHSA-rm9j-3m66-35r4","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-get-application-hid-1u83nd","url":"https://supplychainattack.org/incident/malware-in-t-in-one-get-application-hid-1u83nd","title":"Malware in @t-in-one/get_application_hid","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/get_application_hid","affectedEntities":[{"name":"@t-in-one/get_application_hid"}],"summary":"Malware in @t-in-one/get_application_hid Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been ","iocs":{"packages":["@t-in-one/get_application_hid"]},"remediation":["Remove @t-in-one/get_application_hid from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-9ghf-xffg-p5gx","title":"GitHub Advisory GHSA-9ghf-xffg-p5gx","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-add-application-1nd18x","url":"https://supplychainattack.org/incident/malware-in-t-in-one-add-application-1nd18x","title":"Malware in @t-in-one/add_application","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/add_application","affectedEntities":[{"name":"@t-in-one/add_application"}],"summary":"Malware in @t-in-one/add_application Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been give","iocs":{"packages":["@t-in-one/add_application"]},"remediation":["Remove @t-in-one/add_application from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-2rqm-cx7p-43hx","title":"GitHub Advisory GHSA-2rqm-cx7p-43hx","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-application-id-storage-key-token-1c4puy","url":"https://supplychainattack.org/incident/malware-in-t-in-one-application-id-storage-key-token-1c4puy","title":"Malware in @t-in-one/application_id_storage_key_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/application_id_storage_key_token","affectedEntities":[{"name":"@t-in-one/application_id_storage_key_token"}],"summary":"Malware in @t-in-one/application_id_storage_key_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m","iocs":{"packages":["@t-in-one/application_id_storage_key_token"]},"remediation":["Remove @t-in-one/application_id_storage_key_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-cwhq-qx36-9hhq","title":"GitHub Advisory GHSA-cwhq-qx36-9hhq","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-add-application-tid-11ur2g","url":"https://supplychainattack.org/incident/malware-in-t-in-one-add-application-tid-11ur2g","title":"Malware in @t-in-one/add_application_tid","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/add_application_tid","affectedEntities":[{"name":"@t-in-one/add_application_tid"}],"summary":"Malware in @t-in-one/add_application_tid Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been ","iocs":{"packages":["@t-in-one/add_application_tid"]},"remediation":["Remove @t-in-one/add_application_tid from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-vvr5-6j6h-rq49","title":"GitHub Advisory GHSA-vvr5-6j6h-rq49","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-form-product-token-j7kcjc","url":"https://supplychainattack.org/incident/malware-in-t-in-one-form-product-token-j7kcjc","title":"Malware in @t-in-one/form_product_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/form_product_token","affectedEntities":[{"name":"@t-in-one/form_product_token"}],"summary":"Malware in @t-in-one/form_product_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been g","iocs":{"packages":["@t-in-one/form_product_token"]},"remediation":["Remove @t-in-one/form_product_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-r382-p83j-69fx","title":"GitHub Advisory GHSA-r382-p83j-69fx","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-add-application-service-token-q7m5ck","url":"https://supplychainattack.org/incident/malware-in-t-in-one-add-application-service-token-q7m5ck","title":"Malware in @t-in-one/add_application_service_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/add_application_service_token","affectedEntities":[{"name":"@t-in-one/add_application_service_token"}],"summary":"Malware in @t-in-one/add_application_service_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may ","iocs":{"packages":["@t-in-one/add_application_service_token"]},"remediation":["Remove @t-in-one/add_application_service_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-p76m-g6ch-9pg3","title":"GitHub Advisory GHSA-p76m-g6ch-9pg3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-add-app-middleware-token-1lwz2u","url":"https://supplychainattack.org/incident/malware-in-t-in-one-add-app-middleware-token-1lwz2u","title":"Malware in @t-in-one/add_app_middleware_token","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/add_app_middleware_token","affectedEntities":[{"name":"@t-in-one/add_app_middleware_token"}],"summary":"Malware in @t-in-one/add_app_middleware_token Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@t-in-one/add_app_middleware_token"]},"remediation":["Remove @t-in-one/add_app_middleware_token from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-86f7-96xp-23wm","title":"GitHub Advisory GHSA-86f7-96xp-23wm","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-t-in-one-save-application-hid-to-storage-oql4wj","url":"https://supplychainattack.org/incident/malware-in-t-in-one-save-application-hid-to-storage-oql4wj","title":"Malware in @t-in-one/save_application_hid_to_storage","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @t-in-one/save_application_hid_to_storage","affectedEntities":[{"name":"@t-in-one/save_application_hid_to_storage"}],"summary":"Malware in @t-in-one/save_application_hid_to_storage Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer ma","iocs":{"packages":["@t-in-one/save_application_hid_to_storage"]},"remediation":["Remove @t-in-one/save_application_hid_to_storage from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-99m3-vc85-ccc3","title":"GitHub Advisory GHSA-99m3-vc85-ccc3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-svp-s3-storage-eg5ztt","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-svp-s3-storage-eg5ztt","title":"Malware in @cloudplatform-single-spa/svp-s3-storage","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/svp-s3-storage","affectedEntities":[{"name":"@cloudplatform-single-spa/svp-s3-storage"}],"summary":"Malware in @cloudplatform-single-spa/svp-s3-storage Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may","iocs":{"packages":["@cloudplatform-single-spa/svp-s3-storage"]},"remediation":["Remove @cloudplatform-single-spa/svp-s3-storage from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-228p-vq38-23gh","title":"GitHub Advisory GHSA-228p-vq38-23gh","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-vpn-1fdrg3","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-vpn-1fdrg3","title":"Malware in @cloudplatform-single-spa/vpn","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/vpn","affectedEntities":[{"name":"@cloudplatform-single-spa/vpn"}],"summary":"Malware in @cloudplatform-single-spa/vpn Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been ","iocs":{"packages":["@cloudplatform-single-spa/vpn"]},"remediation":["Remove @cloudplatform-single-spa/vpn from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-x7v5-6q4v-272p","title":"GitHub Advisory GHSA-x7v5-6q4v-272p","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-support-1r2a2a","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-support-1r2a2a","title":"Malware in @cloudplatform-single-spa/support","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/support","affectedEntities":[{"name":"@cloudplatform-single-spa/support"}],"summary":"Malware in @cloudplatform-single-spa/support Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have b","iocs":{"packages":["@cloudplatform-single-spa/support"]},"remediation":["Remove @cloudplatform-single-spa/support from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-7wmg-h7hh-5m93","title":"GitHub Advisory GHSA-7wmg-h7hh-5m93","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-ssh-keys-jqoody","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-ssh-keys-jqoody","title":"Malware in @cloudplatform-single-spa/ssh-keys","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/ssh-keys","affectedEntities":[{"name":"@cloudplatform-single-spa/ssh-keys"}],"summary":"Malware in @cloudplatform-single-spa/ssh-keys Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@cloudplatform-single-spa/ssh-keys"]},"remediation":["Remove @cloudplatform-single-spa/ssh-keys from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-7xjw-q57c-jjh9","title":"GitHub Advisory GHSA-7xjw-q57c-jjh9","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-monitoring-pmnv06","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-monitoring-pmnv06","title":"Malware in @cloudplatform-single-spa/monitoring","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/monitoring","affectedEntities":[{"name":"@cloudplatform-single-spa/monitoring"}],"summary":"Malware in @cloudplatform-single-spa/monitoring Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may hav","iocs":{"packages":["@cloudplatform-single-spa/monitoring"]},"remediation":["Remove @cloudplatform-single-spa/monitoring from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-jvj5-w453-mjrh","title":"GitHub Advisory GHSA-jvj5-w453-mjrh","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-marketplace-gigachat-15xti7","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-marketplace-gigachat-15xti7","title":"Malware in @cloudplatform-single-spa/marketplace-gigachat","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/marketplace-gigachat","affectedEntities":[{"name":"@cloudplatform-single-spa/marketplace-gigachat"}],"summary":"Malware in @cloudplatform-single-spa/marketplace-gigachat Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the comput","iocs":{"packages":["@cloudplatform-single-spa/marketplace-gigachat"]},"remediation":["Remove @cloudplatform-single-spa/marketplace-gigachat from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-pxw8-gqv6-95gx","title":"GitHub Advisory GHSA-pxw8-gqv6-95gx","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-datagrid-10zls7","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-datagrid-10zls7","title":"Malware in @cloudplatform-single-spa/datagrid","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/datagrid","affectedEntities":[{"name":"@cloudplatform-single-spa/datagrid"}],"summary":"Malware in @cloudplatform-single-spa/datagrid Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@cloudplatform-single-spa/datagrid"]},"remediation":["Remove @cloudplatform-single-spa/datagrid from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-rfjw-rc5v-6jwg","title":"GitHub Advisory GHSA-rfjw-rc5v-6jwg","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-cloud-dns-1wjce2","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-cloud-dns-1wjce2","title":"Malware in @cloudplatform-single-spa/cloud-dns","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/cloud-dns","affectedEntities":[{"name":"@cloudplatform-single-spa/cloud-dns"}],"summary":"Malware in @cloudplatform-single-spa/cloud-dns Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have","iocs":{"packages":["@cloudplatform-single-spa/cloud-dns"]},"remediation":["Remove @cloudplatform-single-spa/cloud-dns from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-p4x7-2fvx-ff2j","title":"GitHub Advisory GHSA-p4x7-2fvx-ff2j","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-svp-interfaces-138bia","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-svp-interfaces-138bia","title":"Malware in @cloudplatform-single-spa/svp-interfaces","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/svp-interfaces","affectedEntities":[{"name":"@cloudplatform-single-spa/svp-interfaces"}],"summary":"Malware in @cloudplatform-single-spa/svp-interfaces Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may","iocs":{"packages":["@cloudplatform-single-spa/svp-interfaces"]},"remediation":["Remove @cloudplatform-single-spa/svp-interfaces from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-3h4q-c5w7-j6c3","title":"GitHub Advisory GHSA-3h4q-c5w7-j6c3","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-svp-baas-19fncn","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-svp-baas-19fncn","title":"Malware in @cloudplatform-single-spa/svp-baas","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/svp-baas","affectedEntities":[{"name":"@cloudplatform-single-spa/svp-baas"}],"summary":"Malware in @cloudplatform-single-spa/svp-baas Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@cloudplatform-single-spa/svp-baas"]},"remediation":["Remove @cloudplatform-single-spa/svp-baas from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-pjmq-qghr-v939","title":"GitHub Advisory GHSA-pjmq-qghr-v939","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-security-groups-1yrj6h","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-security-groups-1yrj6h","title":"Malware in @cloudplatform-single-spa/security-groups","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/security-groups","affectedEntities":[{"name":"@cloudplatform-single-spa/security-groups"}],"summary":"Malware in @cloudplatform-single-spa/security-groups Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer ma","iocs":{"packages":["@cloudplatform-single-spa/security-groups"]},"remediation":["Remove @cloudplatform-single-spa/security-groups from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-xx66-78cf-7927","title":"GitHub Advisory GHSA-xx66-78cf-7927","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-ml-ai-agents-agent-6cs5r2","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-ml-ai-agents-agent-6cs5r2","title":"Malware in @cloudplatform-single-spa/ml-ai-agents-agent","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/ml-ai-agents-agent","affectedEntities":[{"name":"@cloudplatform-single-spa/ml-ai-agents-agent"}],"summary":"Malware in @cloudplatform-single-spa/ml-ai-agents-agent Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer","iocs":{"packages":["@cloudplatform-single-spa/ml-ai-agents-agent"]},"remediation":["Remove @cloudplatform-single-spa/ml-ai-agents-agent from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-2429-p3v5-m6p7","title":"GitHub Advisory GHSA-2429-p3v5-m6p7","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-ml-ai-agents-agent-system-1hkghn","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-ml-ai-agents-agent-system-1hkghn","title":"Malware in @cloudplatform-single-spa/ml-ai-agents-agent-system","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/ml-ai-agents-agent-system","affectedEntities":[{"name":"@cloudplatform-single-spa/ml-ai-agents-agent-system"}],"summary":"Malware in @cloudplatform-single-spa/ml-ai-agents-agent-system Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the c","iocs":{"packages":["@cloudplatform-single-spa/ml-ai-agents-agent-system"]},"remediation":["Remove @cloudplatform-single-spa/ml-ai-agents-agent-system from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-rh4m-xhvc-mp3x","title":"GitHub Advisory GHSA-rh4m-xhvc-mp3x","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-employees-ie9tfn","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-employees-ie9tfn","title":"Malware in @cloudplatform-single-spa/employees","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/employees","affectedEntities":[{"name":"@cloudplatform-single-spa/employees"}],"summary":"Malware in @cloudplatform-single-spa/employees Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have","iocs":{"packages":["@cloudplatform-single-spa/employees"]},"remediation":["Remove @cloudplatform-single-spa/employees from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-fmpf-r7qq-q7jh","title":"GitHub Advisory GHSA-fmpf-r7qq-q7jh","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-enterprise-r0zfvt","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-enterprise-r0zfvt","title":"Malware in @cloudplatform-single-spa/enterprise","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/enterprise","affectedEntities":[{"name":"@cloudplatform-single-spa/enterprise"}],"summary":"Malware in @cloudplatform-single-spa/enterprise Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may hav","iocs":{"packages":["@cloudplatform-single-spa/enterprise"]},"remediation":["Remove @cloudplatform-single-spa/enterprise from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-c5c8-wmww-wg89","title":"GitHub Advisory GHSA-c5c8-wmww-wg89","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-dataplatform-metastore-nb1ylm","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-dataplatform-metastore-nb1ylm","title":"Malware in @cloudplatform-single-spa/dataplatform-metastore","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/dataplatform-metastore","affectedEntities":[{"name":"@cloudplatform-single-spa/dataplatform-metastore"}],"summary":"Malware in @cloudplatform-single-spa/dataplatform-metastore Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the comp","iocs":{"packages":["@cloudplatform-single-spa/dataplatform-metastore"]},"remediation":["Remove @cloudplatform-single-spa/dataplatform-metastore from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-hvp4-8357-fcrc","title":"GitHub Advisory GHSA-hvp4-8357-fcrc","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-floating-ips-rczd0y","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-floating-ips-rczd0y","title":"Malware in @cloudplatform-single-spa/floating-ips","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/floating-ips","affectedEntities":[{"name":"@cloudplatform-single-spa/floating-ips"}],"summary":"Malware in @cloudplatform-single-spa/floating-ips Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may h","iocs":{"packages":["@cloudplatform-single-spa/floating-ips"]},"remediation":["Remove @cloudplatform-single-spa/floating-ips from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-vwr2-jj39-m3fp","title":"GitHub Advisory GHSA-vwr2-jj39-m3fp","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-cp-api-gw-1jcg6i","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-cp-api-gw-1jcg6i","title":"Malware in @cloudplatform-single-spa/cp-api-gw","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/cp-api-gw","affectedEntities":[{"name":"@cloudplatform-single-spa/cp-api-gw"}],"summary":"Malware in @cloudplatform-single-spa/cp-api-gw Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have","iocs":{"packages":["@cloudplatform-single-spa/cp-api-gw"]},"remediation":["Remove @cloudplatform-single-spa/cp-api-gw from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-37f8-7crp-99x7","title":"GitHub Advisory GHSA-37f8-7crp-99x7","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-dataplatform-lm7yhs","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-dataplatform-lm7yhs","title":"Malware in @cloudplatform-single-spa/dataplatform","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/dataplatform","affectedEntities":[{"name":"@cloudplatform-single-spa/dataplatform"}],"summary":"Malware in @cloudplatform-single-spa/dataplatform Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may h","iocs":{"packages":["@cloudplatform-single-spa/dataplatform"]},"remediation":["Remove @cloudplatform-single-spa/dataplatform from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-2m8v-gg54-p274","title":"GitHub Advisory GHSA-2m8v-gg54-p274","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-cnapp-ui-1l3qr2","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-cnapp-ui-1l3qr2","title":"Malware in @cloudplatform-single-spa/cnapp-ui","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/cnapp-ui","affectedEntities":[{"name":"@cloudplatform-single-spa/cnapp-ui"}],"summary":"Malware in @cloudplatform-single-spa/cnapp-ui Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have ","iocs":{"packages":["@cloudplatform-single-spa/cnapp-ui"]},"remediation":["Remove @cloudplatform-single-spa/cnapp-ui from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-5wwp-555m-83g9","title":"GitHub Advisory GHSA-5wwp-555m-83g9","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-base-static-page-1lexfs","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-base-static-page-1lexfs","title":"Malware in @cloudplatform-single-spa/base-static-page","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/base-static-page","affectedEntities":[{"name":"@cloudplatform-single-spa/base-static-page"}],"summary":"Malware in @cloudplatform-single-spa/base-static-page Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer m","iocs":{"packages":["@cloudplatform-single-spa/base-static-page"]},"remediation":["Remove @cloudplatform-single-spa/base-static-page from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-qv4g-5wcg-6j6p","title":"GitHub Advisory GHSA-qv4g-5wcg-6j6p","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-administration-8ph0j1","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-administration-8ph0j1","title":"Malware in @cloudplatform-single-spa/administration","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/administration","affectedEntities":[{"name":"@cloudplatform-single-spa/administration"}],"summary":"Malware in @cloudplatform-single-spa/administration Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may","iocs":{"packages":["@cloudplatform-single-spa/administration"]},"remediation":["Remove @cloudplatform-single-spa/administration from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-7xpr-9xh5-m6q7","title":"GitHub Advisory GHSA-7xpr-9xh5-m6q7","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-arenadata-db-11hb31","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-arenadata-db-11hb31","title":"Malware in @cloudplatform-single-spa/arenadata-db","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/arenadata-db","affectedEntities":[{"name":"@cloudplatform-single-spa/arenadata-db"}],"summary":"Malware in @cloudplatform-single-spa/arenadata-db Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may h","iocs":{"packages":["@cloudplatform-single-spa/arenadata-db"]},"remediation":["Remove @cloudplatform-single-spa/arenadata-db from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-f8cm-fp35-2mcm","title":"GitHub Advisory GHSA-f8cm-fp35-2mcm","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-cloudplatform-single-spa-business-solutions-hzhe6w","url":"https://supplychainattack.org/incident/malware-in-cloudplatform-single-spa-business-solutions-hzhe6w","title":"Malware in @cloudplatform-single-spa/business-solutions","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): @cloudplatform-single-spa/business-solutions","affectedEntities":[{"name":"@cloudplatform-single-spa/business-solutions"}],"summary":"Malware in @cloudplatform-single-spa/business-solutions Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer","iocs":{"packages":["@cloudplatform-single-spa/business-solutions"]},"remediation":["Remove @cloudplatform-single-spa/business-solutions from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-5r3c-vc42-xhw6","title":"GitHub Advisory GHSA-5r3c-vc42-xhw6","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-power-platform-playwright-toolkit-lpwbdz","url":"https://supplychainattack.org/incident/malware-in-power-platform-playwright-toolkit-lpwbdz","title":"Malware in power-platform-playwright-toolkit","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): power-platform-playwright-toolkit","affectedEntities":[{"name":"power-platform-playwright-toolkit"}],"summary":"Malware in power-platform-playwright-toolkit Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have b","iocs":{"packages":["power-platform-playwright-toolkit"]},"remediation":["Remove power-platform-playwright-toolkit from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-jwfr-3hmj-4r72","title":"GitHub Advisory GHSA-jwfr-3hmj-4r72","publisher":"GitHub Advisory Database"}]},{"id":"withdrawn-advisory-malware-in-puppeteer-wyip2x","url":"https://supplychainattack.org/incident/withdrawn-advisory-malware-in-puppeteer-wyip2x","title":"Withdrawn Advisory: Malware in puppeteer","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): puppeteer","affectedEntities":[{"name":"puppeteer"}],"summary":"Withdrawn Advisory: Malware in puppeteer ### Withdrawn Advisory This advisory has been withdrawn because the malicious package detection was a false positive. This link is maintained to preserve external references. ### Original Description Any computer that has this package installed or running should be considered fu","iocs":{"packages":["puppeteer"]},"remediation":["Remove puppeteer from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-8r2f-2qg4-cv9v","title":"GitHub Advisory GHSA-8r2f-2qg4-cv9v","publisher":"GitHub Advisory Database"}]},{"id":"malware-in-midoss-1kqryg","url":"https://supplychainattack.org/incident/malware-in-midoss-1kqryg","title":"Malware in midoss","status":"active","severity":"critical","ecosystems":["npm"],"attackVectors":["compromised-package"],"disclosedDate":"2026-05-29","lastUpdated":"2026-06-06","blastRadius":"npm package(s): midoss","affectedEntities":[{"name":"midoss"}],"summary":"Malware in midoss Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside ent","iocs":{"packages":["midoss"]},"remediation":["Remove midoss from all dependency trees and lockfiles.","Rotate any credentials present on machines or CI that installed the package.","Pin and verify dependencies; restrict install scripts (e.g. --ignore-scripts)."],"sources":[{"url":"https://github.com/advisories/GHSA-6mj4-8j98-6c94","title":"GitHub Advisory GHSA-6mj4-8j98-6c94","publisher":"GitHub Advisory Database"}]}]}