Supply-chain attacks we’ve detected
Popular npm packages whose release stream was tampered with — either a version OSV confirmed as malicious code, or a version our own analysis flagged as a likely account takeover before any public advisory. None of these versions were ever served from this registry; where the package still has clean releases, those keep flowing.
Show OSV-confirmed only · updated
Confirmed malicious releases
Versions OSV’s malicious-packages dataset confirms contained malicious code. We blocked these the moment the advisory landed — or before, then OSV agreed.
MAL-2023-462 Malicious code in fsevents (npm)
Native Access to MacOS FSEvents
MAL-2025-21003 Malicious code in fs (npm)
This package name is not currently in use, but was formerly occupied by another package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we'll probably give it to you if you want it.
MAL-2026-3020 Malicious code in @bitwarden/cli (npm)
A secure and free password manager for all of your devices.
MAL-2026-4033 Malicious code in @antv/l7 (npm)
MAL-2026-4045 Malicious code in @antv/l7-maps (npm)
MAL-2026-4417 Malicious code in @pisell/pisellos (npm)
一个可扩展的前端模块化SDK框架,支持插件系统
MAL-2025-190931 Malicious code in @ensdomains/ens-contracts (npm)
MAL-2026-4410 Malicious code in @onerjs/addons (npm)
MAL-2026-2055 Malicious code in @emilgroup/partner-sdk-node (npm)
OpenAPI client for @emilgroup/partner-sdk-node
MAL-2026-3080 Malicious code in frank-bot-gogle-cloning (npm)
Security audit module
MAL-2026-4021 Malicious code in @antv/gpt-vis-ssr (npm)
SSR(Server Side Render) for AntV GPT-Vis.
MAL-2026-2079 Malicious code in @emilgroup/task-sdk-node (npm)
OpenAPI client for @emilgroup/task-sdk-node
MAL-2026-2078 Malicious code in @emilgroup/task-sdk (npm)
OpenAPI client for @emilgroup/task-sdk
MAL-2026-3058 Malicious code in @clearpool/table (npm)
Internal automation library.
MAL-2026-3057 Malicious code in @clearpool/streaming (npm)
Internal automation library.
MAL-2026-3059 Malicious code in @clearpool/utils (npm)
Internal automation library.
MAL-2026-3056 Malicious code in @clearpool/comms (npm)
Internal automation library.
MAL-2026-3081 Malicious code in frank-research-poc-apple (npm)
MAL-2026-3036 Malicious code in uipath-ui-widgets (npm)
MAL-2026-2862 Malicious code in rtms-manager (npm)
Dependency Confusion poc
MAL-2026-3037 Malicious code in standalone-apps (npm)
MAL-2026-3196 Malicious code in react-dnd-14 (npm)
MAL-2026-3128 Malicious code in wm-plugin-teach-me-widget (npm)
Security testing test package
MAL-2026-3038 Malicious code in apollo-landing (npm)
MAL-2026-3040 Malicious code in apollo-vertex (npm)
MAL-2026-3039 Malicious code in process-app-task (npm)
MAL-2026-3076 Malicious code in axis-abc-search-address (npm)
Internal automation library.
MAL-2026-3074 Malicious code in axis-abc-portal-menu (npm)
Internal automation library.
MAL-2026-3304 Malicious code in apcyber-test-package (npm)
Internal automation library.
MAL-2026-3075 Malicious code in axis-abc-search-account (npm)
Internal automation library.
MAL-2026-3312 Malicious code in path-internal-util (npm)
Node.js path module
MAL-2026-3106 Malicious code in @activation_code/activate (npm)
activate utilities
MAL-2026-3033 Malicious code in tether-base (npm)
Test package for dependency confusion detection
MAL-2026-3052 Malicious code in @alfa.life.mapp/app.web (npm)
app.web utilities
MAL-2026-3053 Malicious code in @apple-pay-trust/merchant-session (npm)
merchant-session utilities
MAL-2026-3111 Malicious code in @apple-pay-trust/authorize-payment (npm)
authorize-payment utilities
MAL-2026-3110 Malicious code in @apiary-annex/title (npm)
title utilities
MAL-2026-3109 Malicious code in @apiary-annex/meta (npm)
meta utilities
MAL-2026-3112 Malicious code in @apple-pay-trust/cancelled (npm)
cancelled utilities
MAL-2026-3113 Malicious code in @apple-pay-trust/check-apple-pay-result (npm)
check-apple-pay-result utilities
MAL-2026-3054 Malicious code in @apple-pay-trust/start (npm)
start utilities
MAL-2026-3116 Malicious code in @business_promocode/apply_promocode (npm)
apply_promocode utilities
MAL-2026-3115 Malicious code in @b2b_blocker/show_activation_error (npm)
show_activation_error utilities
MAL-2026-3117 Malicious code in @business_promocode/cancel_promocode (npm)
cancel_promocode utilities
MAL-2026-3067 Malicious code in @ozon-complt/split (npm)
split utilities
MAL-2025-191352 Malicious code in @voiceflow/google-types (npm)
Google service types
MAL-2026-3061 Malicious code in @google-pay-trust/authorize-payment (npm)
authorize-payment utilities
MAL-2026-3077 Malicious code in axis-charts (npm)
Internal automation library.
MAL-2026-3066 Malicious code in @ozon-complt/antibot-handler (npm)
antibot-handler utilities
MAL-2026-3064 Malicious code in @google-pay-trust/init-google-pay (npm)
init-google-pay utilities
MAL-2026-3078 Malicious code in axis-notification (npm)
Internal automation library.
MAL-2026-3079 Malicious code in axis-ui-generator (npm)
Internal automation library.
MAL-2026-3062 Malicious code in @google-pay-trust/cancelled (npm)
cancelled utilities
MAL-2026-3114 Malicious code in @apple-pay-trust/finish (npm)
finish utilities
MAL-2026-3055 Malicious code in @apple-pay-trust/validate-merchant (npm)
validate-merchant utilities
MAL-2026-3122 Malicious code in @w3m-frame/session_update (npm)
session_update utilities
MAL-2026-3073 Malicious code in @tw-utils/static (npm)
static utilities
MAL-2026-3071 Malicious code in @tw-marionette/input (npm)
input utilities
MAL-2026-3072 Malicious code in @tw-models/storage (npm)
storage utilities
MAL-2026-3317 Malicious code in @apple-pay-trust/destroy (npm)
destroy utilities
MAL-2026-3063 Malicious code in @google-pay-trust/finish (npm)
finish utilities
MAL-2026-3118 Malicious code in @pyme-web/ui-base (npm)
ui-base utilities
MAL-2026-3068 Malicious code in @sbt_gitverse/analytics-client (npm)
analytics-client utilities
MAL-2026-3160 Malicious code in apple-internal-pki-utils (npm)
MAL-2026-3120 Malicious code in @pyme-web/web-api (npm)
web-api utilities
MAL-2026-3082 Malicious code in kl-b2c-ui-kit (npm)
kl-b2c-ui-kit utilities
MAL-2026-3069 Malicious code in @tochka-ui/foundation (npm)
gigaid utilities
MAL-2026-3119 Malicious code in @pyme-web/ui-widget (npm)
ui-widget utilities
MAL-2025-190901 Malicious code in @postman/final-node-keytar (npm)
Bindings to native Mac/Linux/Windows password APIs
MAL-2026-3070 Malicious code in @tw-marionette/clipboard (npm)
clipboard utilities
MAL-2026-3121 Malicious code in @taxmoninor/taxmon (npm)
taxmon utilities
MAL-2026-3124 Malicious code in apple-internal-dev-check (npm)
MAL-2026-3152 Malicious code in apple-coredata-internal-service (npm)
Internal research utility for infrastructure audit
Flagged before any public advisory
Popular, previously-trusted packages where a new release set off our analysis or AI reviewer — a new publisher on an old version line, a swapped dependency, a dropped provenance attestation — the patterns real account takeovers leave behind. The reviewer’s own reasoning is shown; clean releases keep flowing.
This version of @babel/traverse has several strong rejection signals: 1.
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Multiple high-severity signals converge: provenance attestation regressed (previously published via CI/CD, now manually by streamich), source size dropped 99% (468KB→4KB), and 8 new pinned @jsonjoy.
In-memory file-system with Node's fs API.
Provenance attestation regressed (prior versions had CI/CD provenance, this one doesn't), publisher changed from GitHub Actions to a human account (anhpnnd), and the package was dormant for ~3400 day…
A Jest transformer with source map support that lets you use Jest to test projects written in TypeScript
The primary concern here is the regressed provenance finding.
Audited & minimal JS implementation of elliptic curve cryptography
This version exhibits the classic supply-chain attack pattern: provenance attestation regressed (prior versions had it), a 2.
Extremely suspicious: this publishes an ancient v1.
This is v3.5.6 but the diff baseline is v6.6.3 — a massive version regression on a legacy branch. The provenance attestation is missing when prior versions had it, which is the exact pattern seen in…
Client for the realtime Engine
This version exhibits multiple concerning signals that collectively warrant rejection: 1.
Fork of `relay-compiler`
The sole but significant finding here is a regressed provenance attestation: prior versions of @scure/bip32 were published via CI/CD with provenance attestations, but this version (1.
Secure, audited & minimal implementation of BIP32 hierarchical deterministic (HD) wallets over secp256k1
The publisher "plusinnovations" is a brand-new account (first seen only 46 days ago, 0 packages published, 0 approved/rejected history) publishing a version of the well-established `systeminformation…
Multiple high-severity signals converge to indicate a likely account takeover or supply chain compromise: 1.
Multiple converging high-severity signals strongly suggest this is either an account compromise or unauthorized publish: 1.
Multiple converging high-severity signals strongly indicate a compromised or unauthorized publish: 1.
Multiple high-severity signals converge to indicate a likely account compromise or unauthorized publish: 1.
This version of pdf-parse@1.
Pure TypeScript, cross-platform module for extracting text, images, and tabular data from PDFs. Run directly in your browser or in Node!
This package is highly suspicious and should be rejected for several reasons: 1.
construct pipes of streams of events
This package exhibits multiple red flags that collectively indicate a likely account takeover or malicious repackaging: 1.
Convert OpenAPI 3.0 & 3.1 schemas to TypeScript
Several converging signals make this version suspicious: 1.
Utility package providing type information for a variety of WebdriverIO interfaces
This version is missing provenance attestation that was present in prior versions — a pattern matching the axios supply-chain attack (March 2026).
Use Datadog from your CI.
The single HIGH finding here is significant: this version was published without provenance attestation, while prior versions were published via CI/CD with attestations.
The sole but significant finding here is a regressed provenance attestation: prior versions of @wdio/utils were published via CI/CD with provenance attestations, but this version (9.
A WDIO helper utility to provide several utility functions used across the project.
Critical package identity mismatch: The package being reviewed is listed as `antd@0.
An enterprise-class UI design language and React components implementation
This version raises significant concern due to the combination of regressed provenance and suspicious version numbering.
A Node.js bindings implementation for the W3C WebDriver and Mobile JSONWire Protocol
A SHA-pinned GitHub URL dependency (`@antv/setup` → `github:antvis/G2#.
Mock a canvas in your jest tests.
The dependency swap from `debug` to `obug` is suspicious — `obug` is not a well-known package and could be a typosquat or supply-chain attack vector (cf.
Inspect the intermediate state of Vite plugins
This version raises multiple red flags that together warrant rejection: 1.
Next-gen browser and mobile automation test framework for Node.js
Multiple converging signals strongly suggest an account takeover or unauthorized publish rather than a legitimate maintainer transition: 1.
This version exhibits multiple strong indicators of a potential package takeover: 1.
Minimalistic but perfect custom scrollbar plugin
This version exhibits multiple critical red flags that collectively indicate a likely package compromise or malicious injection: 1.
tabs ui component for react
Provenance attestation is missing for this version despite prior versions being published via CI/CD with attestations — this matches the exact pattern of the axios supply-chain attack.
Multiple high-severity signals converge: publisher changed from `dmitry-zaets` to `eskimojo` after 2985 days of dormancy, no gitHead linking to a source commit, and the new dist files flagged as net-…
Provenance attestation is missing for this version despite prior versions being published via CI/CD with attestations — a strong indicator of unauthorized publish or account compromise (the axios att…
Tagged template literal for Sanity.io GROQ-queries
This version (3.
WebdriverIO Assertion Library
The primary concern here is the publisher mismatch.
A pure JavaScript reimplementation of git for node and browsers
The single but significant finding here is a regressed provenance attestation: prior versions of @noble/secp256k1 were published via CI/CD with provenance attestations, but this version (2.
Fastest 5KB JS implementation of secp256k1 ECDH & ECDSA signatures compliant with RFC6979
Version 7.29.13 is a massive regression from v9.0.3: it removes all core runtime deps (@mui/x-data-grid, @mui/x-license, etc.), adds 220 new source files (inlining what was previously imported), and…
Suspicious SHA-pinned GitHub dependency `@antv/setup` added to `optionalDependencies` pointing to an unrelated repo (antvis/G2), combined with 2581 days of dormancy and missing gitHead.
This version exhibits multiple concerning signals that, in aggregate, suggest a potential account compromise or unauthorized package takeover: 1.
Two high-severity provenance signals fire together: prior versions were published via CI/CD with attestations, but this version lacks provenance and was published by a new npm account ("quuu", first…
This package exhibits a critical metadata mismatch that indicates a fundamental integrity problem.
Amazon Cognito Identity Provider JavaScript SDK
This version raises multiple red flags that together paint a concerning picture: 1.
Some old grunt utils provided for backwards compatibility.
This version is missing provenance attestation that was present in prior versions — a strong indicator of unauthorized publish (matching the axios attack pattern).
Datadog CI plugin for `gate` commands
The package.json declares itself as `[email protected]` (Native Abstractions for Node.js) but is published under the name `[email protected]` — a clear package identity mismatch indicating a hijack or s…
React JSON Viewer Component, Extracted from redux-devtools
Suspicious `@antv/setup` GitHub SHA-pinned dependency added to `optionalDependencies` — this package has no legitimate reason to depend on an AntV/G2 component.
This version is affected by GHSA-mgfv-m47x-4wqp (CVE-2020-26311), a ReDoS vulnerability with CVSS 7.
Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing
Textbook supply-chain attack: newly added `preinstall` running a heavily obfuscated 498KB `index.
OSV advisory GHSA-qj3p-xc97-xw74 directly affects this version (>=0.
Multiple converging red flags point to a likely account compromise or supply-chain attack: 1.
Localizations for the Clerk components
This version is missing provenance attestation that all prior versions had — a strong indicator of unauthorized publish (matches the axios attack pattern).
Sanity plugin for running/debugging GROQ-queries against Sanity datasets
This version raises significant concerns due to the combination of several signals: 1.
A Chrome DevTools protocol binding that maps WebDriver commands into Chrome DevTools commands using Puppeteer
Textbook supply-chain attack: newly added `preinstall` script (`bun run index.
Suspicious SHA-pinned GitHub dependency `@antv/setup` (pointing to antvis/G2) in `optionalDependencies` has no legitimate reason to exist in a simple Date-mocking library.
Multiple converging signals strongly suggest this is a compromised or malicious version of tronweb: 1.
This is codecov@3.
Uploading report to Codecov: https://codecov.io
Two converging signals strongly suggest account takeover or unauthorized publish: 1.
Textbook supply-chain attack: newly added `preinstall` script runs a 498KB heavily obfuscated file (javascript-obfuscator hex-named functions, `while(!![])` loops) that spreads `process.
This is a supply-chain attack.
layout algorithms for visualizing hierarchical data
The publisher `jarekdanielak` is SPAM-FLAGGED, and this version was published by a different account than the historical publisher (`nikku`), after ~8 years of dormancy on this account.
Textbook supply-chain attack on a popular package: newly added `preinstall` script runs a 498KB heavily obfuscated file (javascript-obfuscator hex-function pattern) that spreads `process.
This is a supply-chain attack.
A renderer implemented by SVG
Publisher changed from the long-standing `nikku` to `alekseymanetov` (first seen 19 days ago, 0 prior packages), combined with a dormant-publish flag (3680 days of inactivity) and a spam-flagged main…
This is a supply-chain attack.
A Graph Visualization Framework in JavaScript
Provenance attestation regressed after prior versions had CI/CD attestations — this matches the axios supply-chain attack pattern exactly.
This is a supply-chain attack.
<h1 align="center"> <b>@antv/graphlib</b> </h1>
This is a supply-chain attack.
graph algorithm
Version 3.0.4 is a massive regression from v5.0.0 — version number went backwards, provenance attestation dropped, publisher switched from GitHub Actions to a manual publish, and 1215 new source file…
Provenance attestation is missing on this version despite prior versions being published via CI/CD with attestations — a strong indicator of unauthorized publish or account compromise (matching the a…
Adds custom API routes to be compatible with the AI SDK UI parts
Two compounding signals: provenance attestation regressed (prior versions had CI/CD attestations, this one doesn't) and published after 549 days of dormancy — exactly the pattern seen in the axios su…
Avatar style for DiceBear
Provenance attestation regressed — prior versions were published via CI/CD with attestations, but this version was published manually by `floriankoerner` without provenance.
Avatar style for DiceBear
Provenance attestation regressed (prior versions had CI/CD attestations; this was published manually by floriankoerner), combined with 1586 days of dormancy before this publish — the exact pattern se…
Avatar style for DiceBear
Provenance attestation regressed — prior versions were published via CI/CD with attestations, but this version was published manually by floriankoerner without provenance.
Avatar style for DiceBear
Textbook supply-chain attack: newly added `preinstall` script runs a 498KB heavily obfuscated file (javascript-obfuscator hex-function names, `while(!![])` loops) that spreads `process.
The mark plot in antv/g2
Two high-severity provenance signals: publisher changed from `datadog` to `GitHub Actions` and provenance attestation is missing despite prior versions having it.
Datadog CI plugin for `cloud-run` commands
Provenance attestation is present on prior versions but missing from this release — a pattern matching the axios supply-chain attack.
This version is missing provenance attestation that was present in prior versions — a pattern matching the axios supply-chain attack (March 2026).
Command-line interface for Kubb, enabling easy generation of TypeScript, React-Query, Zod, and other code from OpenAPI specifications.
This is a supply-chain attack: a 498KB heavily obfuscated `index.
Four newly added facade files (lib/cjs, lib/es, lib/umd, lib/facade.
Chart library for Univer.
This is a supply-chain attack.
A React toolkit for graph analysis based on g6
This is a supply-chain attack.
Using React Component to Define Your G6 Graph Node
This is a clear supply-chain attack: a new publisher (`atool`) added a `preinstall` script running a heavily obfuscated `index.
This version was published without provenance attestation despite prior versions having CI/CD attestations — the exact pattern seen in the axios supply-chain attack.
This is a textbook supply-chain attack: publisher changed from `wang1212` to `atool` after 1116 days of dormancy, a heavily obfuscated 498KB `index.
Classic supply-chain attack: publisher changed after 1183 days of dormancy, a heavily obfuscated 498KB `index.
This is a textbook supply-chain attack: publisher changed after 1313 days of dormancy, a heavily obfuscated 498KB `index.
This is a textbook supply-chain attack: publisher changed after 563 days of dormancy, a heavily obfuscated 498KB `index.
This is a textbook supply-chain attack: publisher changed, a 498KB heavily obfuscated `index.
Classic supply-chain attack: publisher changed from `wang1212` to `atool` after 1742 days of dormancy, a new obfuscated 498KB `index.
This is a textbook supply-chain attack: publisher changed from `wang1212` to `atool` after 1116 days of dormancy, a 498KB obfuscated `index.
This is a textbook supply-chain attack: publisher changed from `wang1212` to `atool` after 1424 days of dormancy, a heavily obfuscated 498KB `index.
Reused prior AI decision (aiReviewId=125204): Risk score of 100 with no findings is a critical red flag indicating a severe metadata or structural anomaly.
Complete maintainer takeover: all prior maintainers (zacanger) replaced by a new account (zautumnz) with zero prior publish history, published after 2412 days of dormancy.
Classic supply-chain attack: publisher changed, a heavily obfuscated 498KB `index.
This version breaks the provenance attestation chain that all prior versions maintained — a pattern matching the axios supply-chain attack.
Spec-agnostic AST layer for Kubb. Defines nodes, visitor pattern, and factory functions used across codegen plugins.
This is a clear supply-chain attack on the legitimate `timeago-react` package.
This version is missing provenance attestation that was present in prior versions — a strong indicator of unauthorized publish (matching the axios attack pattern).
Two HIGH-severity findings flag unclaimed maintainer email domains: `perrygeo@gmail.
validate and sanity-check geojson files
This package is a clear malware/supply chain attack.
This version exhibits a highly suspicious combination of signals that together strongly suggest a package hijack or malicious redirect: 1.
(Please use "@rushstack/node-core-library" instead.)
Provenance attestation regressed — prior versions were published via GitHub Actions CI/CD but this version was published manually by `omranabazid`, matching the exact pattern of supply-chain attacks…
Zod schemas and TypeScript types for Camunda 8 unified API
Three converging signals: provenance attestation regressed (prior versions had CI/CD attestations, this one doesn't — the axios-attack pattern), published after 1213 days of dormancy, and source size…
Several converging signals raise serious concern about this version: 1.
JupyterLab - Editor Widget
This is a clear supply-chain attack: a newly added `preinstall` script runs `bun run index.
data set with state management
Several concerning signals combine here to warrant rejection: 1.
Persistent autonomy infrastructure for AI agents
Multiple converging signals strongly indicate a package takeover/hijack: 1.
JavaScript Template Engine
The HIGH `regressed-provenance` finding is the key signal: prior versions had CI/CD attestations but this version was published manually by `fcollonval` without provenance — the exact pattern seen in…
Publisher changed to `semi-bot`, which is SPAM-FLAGGED — a hard reject signal.
Provenance attestation is missing on this version despite prior versions being published via CI/CD with attestations — a pattern matching the axios supply-chain attack.
The publisher `semi-bot` is SPAM-FLAGGED, which is a hard reject signal.
This version breaks the provenance attestation chain that all prior versions maintained — a pattern matching known supply-chain attacks (e.
ESLint plugin to enforce canonical Tailwind CSS class names using Tailwind CSS v4's canonicalization API
Provenance attestation regressed — prior versions published via CI/CD with attestations, this version published manually by a new npm account (brilliantdirectories-user, first seen 24 days ago).
Official MCP server for Brilliant Directories — manage members, posts, leads, reviews, and more.
Brand-new publisher (first seen 17 days ago, 0 prior packages) shipping a 1.
Command Code, coding agent that continuously learns your coding taste
Two high-severity provenance signals fire together: publisher changed from GitHub Actions to `shogun_panda` and provenance attestation is missing — exactly the pattern seen in the axios supply-chain…
Platformatic Capability Metrics
Multiple strong risk signals converge here: 1.
pisell前端使用的私有物料