Supply-chain attacks we’ve detected
Popular npm packages whose release stream was tampered with — versions our own analysis flagged as a likely account takeover, often before any public advisory landed. None of these versions were ever served from this registry; where the package still has clean releases, those keep flowing.
updated
Attacks we’ve detected
Coordinated supply-chain attacks that hit many packages at once — an entire npm scope having install hooks injected on the same day, for example. We rejected every impacted version; none were ever greenflagged or served from this registry.
7 attacks · 189 packages · 302 versions
Impacted packages (79)
Impacted packages (75)
Impacted packages (20)
Impacted packages (4)
Impacted packages (4)
Impacted packages (3)
Caught by GreenFlagged
Confirmed supply-chain compromises our team surfaced on popular, previously-trusted packages — a swapped maintainer, an injected install hook, a dropped provenance attestation — the patterns real account takeovers leave behind. We caught several of these before any public advisory landed; clean releases keep flowing.
Compromised release: remote-script injector (git.youzzjizz.com/git.js) hidden in the shipped bundle; version-header mismatch. Caught before any advisory (not in OSV).
JavaScript Template Engine
Remote-code loader: fetches a base64-encoded URL at import and eval()s the payload — caught by our analyzers before the advisory; all versions blocked.
Node.js path module