← All packages

Supply-chain attacks we’ve detected

Popular npm packages whose release stream was tampered with — versions our own analysis flagged as a likely account takeover, often before any public advisory landed. None of these versions were ever served from this registry; where the package still has clean releases, those keep flowing.

191
Packages hit
304
Blocked versions
2
GreenFlagged-confirmed catches

updated

Attacks we’ve detected

Coordinated supply-chain attacks that hit many packages at once — an entire npm scope having install hooks injected on the same day, for example. We rejected every impacted version; none were ever greenflagged or served from this registry.

7 attacks · 189 packages · 302 versions

@mastra scope compromise — malicious manual-publish burst (provenance regression), 2026/06/17 Coordinated attack
79 packages · 79 versions
Detected
Impacted packages (79)
@antv scope compromise — injected preinstall hooks (2026-05-19) Coordinated attack
75 packages · 150 versions
Detected
Impacted packages (75)
@asyncapi scope compromise - obfuscated backdoor dropper spliced into legitimate source (2026-07-14) Coordinated attack
4 packages · 4 versions
Detected
Impacted packages (4)
@clearpool scope compromise — install-script data exfiltration (2026-04-26) Coordinated attack
4 packages · 16 versions
Detected
Impacted packages (4)
hustcc / @antv account takeover — injected @antv/setup malware (2026-05-19) Coordinated attack
4 packages · 4 versions
Detected
Impacted packages (4)
Mini Shai-Hulud (compromised atool account) — preinstall exfil worm Coordinated attack
3 packages · 3 versions
Detected
Impacted packages (3)

Caught by GreenFlagged

Confirmed supply-chain compromises our team surfaced on popular, previously-trusted packages — a swapped maintainer, an injected install hook, a dropped provenance attestation — the patterns real account takeovers leave behind. We caught several of these before any public advisory landed; clean releases keep flowing.

art-template Caught by GreenFlagged clean versions still served
33,236 weekly downloads

Compromised release: remote-script injector (git.youzzjizz.com/git.js) hidden in the shipped bundle; version-header mismatch. Caught before any advisory (not in OSV).

JavaScript Template Engine

Blocked 1 version: 4.13.3
detected
path-addon Caught by GreenFlagged
479 weekly downloads

Remote-code loader: fetches a base64-encoded URL at import and eval()s the payload — caught by our analyzers before the advisory; all versions blocked.

Node.js path module

Read the writeup →

Blocked 1 version: 1.0.1
detected