This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries.
1. @builder.io/dev-tools (npm)
- Package: https://www.npmjs.com/package/@builder.io/dev-tools
- Severity: critical
- Affected versions: 1.65.0
- Downloads: 35136
- First seen: 11 June 2026 at 00:19 UTC
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code.
2. events-runtime (npm)
- Package: https://www.npmjs.com/package/events-runtime
- Severity: critical
- Affected versions: all
- Downloads: 19447
- First seen: 11 June 2026 at 00:27 UTC
Malicious package detected. Behaviors: code execution.
3. embiggen (pypi)
- Package: https://pypi.org/project/embiggen/
- Severity: critical
- Affected versions: unknown
- Downloads: 11677
- First seen: 11 June 2026 at 09:35 UTC
The PyPI package embiggen is part of the Hades Campaign, attributed to the Miasma threat actor. Malicious versions (0.11.97) inject a Python import hook that downloads the Bun JavaScript runtime and executes an AES-256-GCM encrypted multi-stage payload targeting Graph ML and scientific computing workflows. The payload performs cross-platform memory scraping of GitHub Actions runner processes to steal CI/CD secrets, SSH keys, and credentials, exfiltrating them to attacker-controlled GitHub repositories.
References: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-packages
4. sensivity (npm)
- Package: https://www.npmjs.com/package/sensivity
- Severity: critical
- Affected versions: all
- Downloads: 9165
- First seen: 11 June 2026 at 09:30 UTC
Malicious package detected. Behaviors: code execution, obfuscated code.
5. ensmallen (pypi)
- Package: https://pypi.org/project/ensmallen/
- Severity: critical
- Affected versions: unknown
- Downloads: 5683
- First seen: 11 June 2026 at 09:35 UTC
The PyPI package ensmallen is part of the Hades Campaign, attributed to the Miasma threat actor. Malicious versions (0.8.101) inject a Python import hook that downloads the Bun JavaScript runtime and executes an AES-256-GCM encrypted multi-stage payload targeting Graph ML and scientific computing workflows. The payload performs cross-platform memory scraping of GitHub Actions runner processes to steal CI/CD secrets, SSH keys, and credentials, exfiltrating them to attacker-controlled GitHub repositories.
References: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-packages
6. ecto-corsair-whisper-6f3b9 (npm)
- Package: https://www.npmjs.com/package/ecto-corsair-whisper-6f3b9
- Severity: high
- Affected versions: 1.0.23
- Downloads: 4636
- First seen: 11 June 2026 at 20:01 UTC
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, install-time execution.
7. internallib_v557 (npm)
- Package: https://www.npmjs.com/package/internallib_v557
- Severity: high
- Affected versions: all
- Downloads: 4321
- First seen: 13 June 2026 at 07:47 UTC
Malicious package detected. Behaviors: data exfiltration, code execution.
8. ldpbootstrap-jquery (npm)
- Package: https://www.npmjs.com/package/ldpbootstrap-jquery
- Severity: critical
- Affected versions: all
- Downloads: 2149
- First seen: 14 June 2026 at 02:13 UTC
The entrypoint dist/bootstrap.js is an HTA-context PowerShell dropper/stager. It uses ActiveXObject to create %LOCALAPPDATA%\Landpage, fetches a remote PowerShell script authenticated with session tokens, payload digests, and device fingerprints, XOR-decrypts the payload using a hardcoded key (950bc06e05fab613ff99c71ce4fdd4ef), writes it to disk, and executes it silently via powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden. The hidden-window execution and multi-path fallback chain (direct fetch → XOR-decrypted stub → CDN-hosted encrypted blob → base64 obfuscated fallback) are characteristic of a staged malware loader, not a legitimate CDN bootstrap. The rapid-iteration publishing pattern (12 versions in under 2 days from a brand-new single-package account) is consistent with adversarial tuning of a delivery mechanism, matching the Contagious Interview/social-engineering dropper attacker model where victims are tricked into running an HTA file that silently installs malicious payload.
9. ect-839201 (npm)
- Package: https://www.npmjs.com/package/ect-839201
- Severity: high
- Affected versions: all
- Downloads: 1692
- First seen: 13 June 2026 at 10:48 UTC
Malicious package detected. Behaviors: data exfiltration, code execution, install-time execution.
10. postcss-minify-selector-parser (npm)
- Package: https://www.npmjs.com/package/postcss-minify-selector-parser
- Severity: critical
- Affected versions: 2.0.2
- Downloads: 1616
- First seen: 13 June 2026 at 09:27 UTC
This package is a typosquat of the legitimate 'postcss-minify-selector-parser' but contains no actual PostCSS functionality — its description reveals it as a 'layered custom codec pipeline' with AES-GCM, which is a payload loader pattern. Two of its direct dependencies ('encode-decode-codec' and 'position-unit-codec') are confirmed malicious in OSM, indicating a coordinated multi-package attack chain. The publisher 'abdrizak' already has a confirmed malicious package (aes-decode-runner-pro, severity high), giving a publisherMaliciousRatio of 0.5. The use of new Function('require', runnable) in src/pipeline/custom-codec-pipeline.js is a classic dynamic code execution loader pattern — it executes remotely-sourced or decoded code with access to the module system. Rapid version publishing (10+ versions in ~24 hours) combined with no source repository and a 1-day-old package confirm adversarial operational tempo.
Want help mitigating malicious packages before they reach your network?
ShieldedStack acts as a security proxy in front of npm, PyPI, NuGet, and Maven, helping teams detect and block malicious or risky packages before they reach developer machines or CI pipelines.
Learn more: https://shieldedstack.com