This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries.
1. zhuanhua (npm)
- Package: https://www.npmjs.com/package/zhuanhua
- Severity: medium
- Affected versions: all
- Downloads: 9165
- First seen: 1 July 2026 at 22:55 UTC
Hijacks browser pages that load [email protected] by injecting a full-screen iframe pointed at https://tckyv.ygh8tas.icu during browser execution. The payload is triggered by DOMContentLoaded or the immediate document.readyState path, not by an npm install hook.
2. creditcard.js (npm)
- Package: https://www.npmjs.com/package/creditcard.js
- Severity: critical
- Affected versions: 2.1.8, 3.0.60
- Downloads: 8284
- First seen: 4 July 2026 at 22:55 UTC
Malicious npm package 'creditcard.js' compromised in the Miasma / Mini Shai-Hulud supply-chain worm campaign (Socket). The affected version(s) were published with a worm payload that steals developer credentials and self-propagates to other packages and repositories belonging to the compromised maintainer.
References: https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack
3. cursed-modules (npm)
- Package: https://www.npmjs.com/package/cursed-modules
- Severity: critical
- Affected versions: all
- Downloads: 4231
- First seen: 1 July 2026 at 02:09 UTC
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, install-time execution.
4. openai-agents-helpers (npm)
- Package: https://www.npmjs.com/package/openai-agents-helpers
- Severity: critical
- Affected versions: 1.3.2
- Downloads: 3108
- First seen: 29 June 2026 at 07:23 UTC
Malicious package detected. Behaviors: data exfiltration, install-time execution.
5. px8my (npm)
- Package: https://www.npmjs.com/package/px8my
- Severity: critical
- Affected versions: all
- Downloads: 2957
- First seen: 2 July 2026 at 08:23 UTC
This is an ad-injection/browser-hijacking package operated as an active campaign. The entrypoint px.js injects a fullscreen iframe overlay loading attacker-controlled content from mfmz.syndagroup.cn/H.html?c=0gjr, completely hijacking the victim browser viewport. The operational script update_px8my.sh exposes the attacker's full workflow: rotate the C2 domain in px.js, auto-increment the version, re-publish to npm, then purge jsDelivr CDN cache so the updated payload propagates to all cached consumers — a deliberate domain-rotation scheme to evade blocklists. The 25-version publish cadence over 13 days is consistent with this automated domain-rotation loop. The publisher nianpm has a 0.5 malicious ratio (sibling package zhuanhua already confirmed malicious in OSM), confirming a repeat threat actor running multiple malicious packages simultaneously.
6. ollama-helpers (npm)
- Package: https://www.npmjs.com/package/ollama-helpers
- Severity: critical
- Affected versions: 1.2.2
- Downloads: 2692
- First seen: 29 June 2026 at 07:22 UTC
Malicious package detected. Behaviors: data exfiltration, install-time execution.
7. anthropic-toolkit (npm)
- Package: https://www.npmjs.com/package/anthropic-toolkit
- Severity: critical
- Affected versions: 1.3.0
- Downloads: 2562
- First seen: 30 June 2026 at 03:39 UTC
This package is a developer-targeting infostealer operating under a fake 'telemetry' cover story. The postinstall script collects git user email from ~/.gitconfig, GitHub CLI credentials from ~/.config/gh/hosts.yml, committer emails from git reflog, SSH public key comments from ~/.ssh/*.pub, and cloud project identifiers, then exfiltrates all of it via HTTPS to the hardcoded C2 endpoint npm-package-logger-228835561205.europe-west1.run.app. The 'credentials are never read' disclaimer in the comments is a deliberate lie — the code reads ~/.config/gh/hosts.yml which contains GitHub OAuth tokens. The publisher 'arielsimon' has a 100% malicious ratio across all 5 other checked packages (@aspect-security/argon2, ai-sdk-helpers, ollama-helpers, openai-agents-helpers all rated critical), indicating a systematic supply chain attack campaign. The 21 versions published within ~65 seconds is classic version-spam to increase search ranking.
8. hardhat-compile-ethers (npm)
- Package: https://www.npmjs.com/package/hardhat-compile-ethers
- Severity: high
- Affected versions: 0.4.12
- Downloads: 2262
- First seen: 1 July 2026 at 19:25 UTC
Malicious package detected. Behaviors: data exfiltration, code execution.
9. @ibrahim1337/baksen (npm)
- Package: https://www.npmjs.com/package/@ibrahim1337/baksen
- Severity: critical
- Affected versions: all
- Downloads: 1774
- First seen: 29 June 2026 at 07:20 UTC
Malicious package detected. Behaviors: obfuscated code.
10. svgson-lite (npm)
- Package: https://www.npmjs.com/package/svgson-lite
- Severity: high
- Affected versions: 1.0.7
- Downloads: 1528
- First seen: 1 July 2026 at 19:29 UTC
Malicious package detected. Behaviors: data exfiltration, code execution.
Want help mitigating malicious packages before they reach your network?
ShieldedStack acts as a security proxy in front of npm, PyPI, NuGet, and Maven, helping teams detect and block malicious or risky packages before they reach developer machines or CI pipelines.
Learn more: https://shieldedstack.com
Credits for the core data goes to https://opensourcemalware.com