Supply-chain attacks we’ve detected
Popular npm packages whose release stream was tampered with — either a version OSV confirmed as malicious code, or a version our own analysis flagged as a likely account takeover before any public advisory. None of these versions were ever served from this registry; where the package still has clean releases, those keep flowing.
Show OSV-confirmed only · updated
Confirmed malicious releases
Versions OSV’s malicious-packages dataset confirms contained malicious code. We blocked these the moment the advisory landed — or before, then OSV agreed.
MAL-2023-462 Malicious code in fsevents (npm)
Native Access to MacOS FSEvents
MAL-2025-21003 Malicious code in fs (npm)
This package name is not currently in use, but was formerly occupied by another package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we'll probably give it to you if you want it.
MAL-2026-3020 Malicious code in @bitwarden/cli (npm)
A secure and free password manager for all of your devices.
MAL-2026-3288 Malicious code in common-tg-service (npm)
Common Telegram service for NestJS applications
MAL-2026-3077 Malicious code in axis-charts (npm)
Internal automation library.
MAL-2026-3078 Malicious code in axis-notification (npm)
Internal automation library.
MAL-2026-3079 Malicious code in axis-ui-generator (npm)
Internal automation library.
MAL-2026-3059 Malicious code in @clearpool/utils (npm)
Internal automation library.
MAL-2026-3069 Malicious code in @tochka-ui/foundation (npm)
gigaid utilities
MAL-2026-3068 Malicious code in @sbt_gitverse/analytics-client (npm)
analytics-client utilities
MAL-2026-3304 Malicious code in apcyber-test-package (npm)
Internal automation library.
MAL-2026-3075 Malicious code in axis-abc-search-account (npm)
Internal automation library.
MAL-2026-3074 Malicious code in axis-abc-portal-menu (npm)
Internal automation library.
MAL-2026-3076 Malicious code in axis-abc-search-address (npm)
Internal automation library.
MAL-2026-2862 Malicious code in rtms-manager (npm)
Dependency Confusion poc
MAL-2026-3040 Malicious code in apollo-vertex (npm)
MAL-2026-3038 Malicious code in apollo-landing (npm)
MAL-2026-3037 Malicious code in standalone-apps (npm)
MAL-2026-3036 Malicious code in uipath-ui-widgets (npm)
MAL-2026-3039 Malicious code in process-app-task (npm)
MAL-2026-3033 Malicious code in tether-base (npm)
Test package for dependency confusion detection
MAL-2026-3052 Malicious code in @alfa.life.mapp/app.web (npm)
app.web utilities
Flagged before any public advisory
Popular, previously-trusted packages where a new release set off our analysis or AI reviewer — a new publisher on an old version line, a swapped dependency, a dropped provenance attestation — the patterns real account takeovers leave behind. The reviewer’s own reasoning is shown; clean releases keep flowing.
This version of @babel/traverse has several strong rejection signals: 1.
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
The primary concern here is the regressed provenance finding.
Audited & minimal JS implementation of elliptic curve cryptography
This version exhibits the classic supply-chain attack pattern: provenance attestation regressed (prior versions had it), a 2.
This is v3.5.6 but the diff baseline is v6.6.3 — a massive version regression on a legacy branch. The provenance attestation is missing when prior versions had it, which is the exact pattern seen in…
Client for the realtime Engine
Multiple high-severity signals converge to indicate a likely account compromise or unauthorized publish: 1.
Two converging signals strongly suggest a potential account takeover or unauthorized publish: 1.
Decorator-based property validation for classes.
Multiple converging signals strongly suggest this version should not be admitted: 1.
Multiple high-severity signals converge here, forming a pattern consistent with a supply chain attack or account compromise: 1.
This version exhibits multiple concerning signals that collectively warrant rejection: 1.
Fork of `relay-compiler`
Multiple high-risk signals converge: publisher changed to a new account (boutell, 0 approved / 1 rejected), missing gitHead after previous versions had it, ~6-year dormancy before sudden publish, and…
Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis
The publisher "plusinnovations" is a brand-new account (first seen only 46 days ago, 0 packages published, 0 approved/rejected history) publishing a version of the well-established `systeminformation…
This version exhibits multiple strong indicators of a potentially compromised or unauthorized publish: 1.
Linter for the JavaScript Oxidation Compiler
Multiple high-severity signals converge to indicate a likely unauthorized or compromised publish: 1.
This package is highly suspicious and should be rejected for several reasons: 1.
construct pipes of streams of events
Multiple HIGH-severity signals converge to paint a very concerning picture consistent with a supply chain attack or account compromise: 1.
Multiple high-severity signals converge to indicate a likely account takeover or supply chain compromise: 1.
Multiple converging high-severity signals strongly suggest this is either an account compromise or unauthorized publish: 1.
The sole but significant finding here is a regressed provenance attestation: prior versions of @scure/bip32 were published via CI/CD with provenance attestations, but this version (1.
Secure, audited & minimal implementation of BIP32 hierarchical deterministic (HD) wallets over secp256k1
Multiple converging high-severity signals strongly indicate a compromised or unauthorized publish: 1.
Multiple high-severity signals converge strongly on a likely account compromise or unauthorized publish: 1.
Multiple high-severity signals converge to indicate a likely account compromise or unauthorized publish: 1.
This version of pdf-parse@1.
Pure TypeScript, cross-platform module for extracting text, images, and tabular data from PDFs. Run directly in your browser or in Node!
Two critical signals combine to make this a strong reject: 1.
More powerful alternative to Animated library for React Native.
Several converging signals make this version suspicious: 1.
Utility package providing type information for a variety of WebdriverIO interfaces
This version of @langchain/core exhibits two HIGH-severity signals that together constitute a strong compromise pattern: 1.
Core LangChain.js abstractions and schemas
Multiple high-severity signals converge to suggest a potential account compromise or unauthorized publish: 1.
The sole but significant finding here is a regressed provenance attestation: prior versions of @wdio/utils were published via CI/CD with provenance attestations, but this version (9.
A WDIO helper utility to provide several utility functions used across the project.
This package exhibits multiple red flags that collectively indicate a likely account takeover or malicious repackaging: 1.
Convert OpenAPI 3.0 & 3.1 schemas to TypeScript
Critical package identity mismatch: The package being reviewed is listed as `antd@0.
An enterprise-class UI design language and React components implementation
The single HIGH finding here is significant: this version was published without provenance attestation, while prior versions were published via CI/CD with attestations.
This version raises significant concern due to the combination of regressed provenance and suspicious version numbering.
A Node.js bindings implementation for the W3C WebDriver and Mobile JSONWire Protocol
This version raises significant supply-chain integrity concerns: 1.
OpenAI integrations for LangChain.js
This version raises multiple red flags that together warrant rejection: 1.
Next-gen browser and mobile automation test framework for Node.js
Multiple converging signals strongly suggest an account takeover or unauthorized publish rather than a legitimate maintainer transition: 1.
This version exhibits multiple critical red flags that collectively indicate a likely package compromise or malicious injection: 1.
tabs ui component for react
The critical signal here is that the publisher `zombiej` is SPAM-FLAGGED.
tree-select ui component for react
The publisher `zombiej` is SPAM-FLAGGED, which is a hard reject signal per the review rubric.
React date & time picker
The publisher `zombiej` is SPAM-FLAGGED, which is a hard reject signal per review policy.
switch ui component for react
The publisher `zombiej` is SPAM-FLAGGED, which is a hard reject signal per review policy.
cascade select ui component for react
This version exhibits multiple strong indicators of a potential package takeover: 1.
Minimalistic but perfect custom scrollbar plugin
The publisher `amasad` is SPAM-FLAGGED, which is a hard reject signal per policy.
Turns an AST into code.
This version (3.
WebdriverIO Assertion Library
Multiple converging signals strongly suggest this version was not published through the normal, trusted CI/CD pipeline: 1.
The primary concern here is the publisher mismatch.
A pure JavaScript reimplementation of git for node and browsers
The publisher `soda` is SPAM-FLAGGED, which is a hard reject signal per review policy.
hot reload api for *.vue components
The single but significant finding here is a regressed provenance attestation: prior versions of @noble/secp256k1 were published via CI/CD with provenance attestations, but this version (2.
Fastest 5KB JS implementation of secp256k1 ECDH & ECDSA signatures compliant with RFC6979
This package exhibits a critical metadata mismatch that indicates a fundamental integrity problem.
Amazon Cognito Identity Provider JavaScript SDK
This version exhibits multiple concerning signals that, in aggregate, suggest a potential account compromise or unauthorized package takeover: 1.
This version raises multiple red flags that together paint a concerning picture: 1.
Some old grunt utils provided for backwards compatibility.
This version exhibits a highly suspicious combination of signals that together strongly suggest a compromised or unauthorized publish: 1.
Official SDK for Inngest.com. Inngest is the reliability layer for modern applications. Inngest combines durable execution, events, and queues into a zero-infra platform with built-in observability.
The package.json declares itself as `[email protected]` (Native Abstractions for Node.js) but is published under the name `[email protected]` — a clear package identity mismatch indicating a hijack or s…
React JSON Viewer Component, Extracted from redux-devtools
This version is affected by GHSA-mgfv-m47x-4wqp (CVE-2020-26311), a ReDoS vulnerability with CVSS 7.
Fastest, most accurate & effecient user agent string parser, uses Browserscope's research for parsing
Two high-severity provenance signals fire together: prior versions were published via CI/CD with attestations, but this version lacks provenance and was published by a new npm account ("quuu", first…
Two HIGH-severity signals align with the axios-style supply chain attack pattern: provenance attestation regressed (prior versions had CI/CD attestations, this one doesn't) and the publisher changed…
Three compounding red flags: publisher changed from `capacitor-plugin-bot` to a new account (`os-pedrobilro`) with zero prior publishes, provenance attestation regressed (prior versions had CI/CD att…
This is codecov@3.
Uploading report to Codecov: https://codecov.io
Two HIGH-severity provenance signals are present and together constitute a strong account-compromise indicator: 1.
Link bins to node_modules/.bin
Three compounding high-severity signals: (1) provenance attestation regressed — prior versions published via CI/CD, this one published manually by `michelengelen`; (2) publisher changed from GitHub A…
Multiple converging signals strongly suggest this is a compromised or malicious version of tronweb: 1.
This version raises significant concerns due to the combination of several signals: 1.
A Chrome DevTools protocol binding that maps WebDriver commands into Chrome DevTools commands using Puppeteer
Two high-severity signals converge: provenance attestation regressed (prior versions published via CI/CD with attestations, this one lacks them) and the publisher changed from GitHub Actions to the n…
The publisher `isaacs` is SPAM-FLAGGED, which is a hard reject signal per review policy.
JavaScript package lifecycle hook runner
Multiple converging red flags point to a likely account compromise or supply-chain attack: 1.
Localizations for the Clerk components
Two converging signals strongly suggest account takeover or unauthorized publish: 1.
Two high-severity signals align: provenance attestation regressed (prior versions published via CI/CD, this one is not) and the publisher changed from GitHub Actions to a human account (`dkuc`) on th…
Multiple converging red flags point to a likely account compromise or hijack rather than a legitimate release: 1.
Clerk server SDK for usage with Express
Publisher changed from the long-standing `nikku` to `alekseymanetov` (first seen 19 days ago, 0 prior packages), combined with a dormant-publish flag (3680 days of inactivity) and a spam-flagged main…
Two high-severity signals converge: provenance attestation regressed (prior versions had CI/CD attestations; this one doesn't — the exact axios-attack pattern) and the publisher changed from `tiptap-…
Multiple high-severity signals converge to indicate a likely account compromise or unauthorized publish: 1.
Multiple high-severity signals converge to indicate a likely account compromise or unauthorized publish: 1.
Multiple converging signals raise serious concern about this version: 1.
Clerk SDK for Fastify
This package is a clear malware/supply chain attack.
Four newly added facade files (lib/cjs, lib/es, lib/umd, lib/facade.
Chart library for Univer.
Several converging signals raise serious concern about this version: 1.
JupyterLab - Editor Widget
Two HIGH-severity findings flag unclaimed maintainer email domains: `perrygeo@gmail.
validate and sanity-check geojson files
The dominant signal here is the HIGH-severity `regressed-provenance` finding: prior versions of this package were published with CI/CD provenance attestations, but this version (3.
Multiple converging signals strongly indicate a package takeover/hijack: 1.
JavaScript Template Engine
Provenance attestation is missing on this version despite prior versions being published via CI/CD with attestations — a pattern matching the axios supply-chain attack.
Three HIGH-severity OSV advisories affect this version (4.
Multiple converging signals strongly suggest this version is suspicious and potentially the result of an account compromise or unauthorized publish: 1.
Transforming XML to JSON using Node.js binding to native pugixml parser library
Two HIGH-severity provenance findings combine into a strong rejection signal: 1.
LLM-Agent-First Specification schemas and conformance tooling
This version exhibits a highly suspicious combination of signals that together strongly suggest a package hijack or malicious redirect: 1.
(Please use "@rushstack/node-core-library" instead.)
Two HIGH-severity provenance findings combine into a strong rejection signal: 1.
CLEO agent protocols and templates
Multiple converging signals strongly suggest a compromised or unauthorized publisher takeover: 1.
Multiple high-severity signals converge to paint a concerning picture for this version: 1.
A parser for Discord's protobufs
Two HIGH-severity provenance findings combine into a strong rejection signal: 1.
Domain types, interfaces, and contracts for the CLEO ecosystem