This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries.


1. zhuanhua (npm)

Hijacks browser pages that load [email protected] by injecting a full-screen iframe pointed at https://tckyv.ygh8tas.icu during browser execution. The payload is triggered by DOMContentLoaded or the immediate document.readyState path, not by an npm install hook.


2. creditcard.js (npm)

Malicious npm package 'creditcard.js' compromised in the Miasma / Mini Shai-Hulud supply-chain worm campaign (Socket). The affected version(s) were published with a worm payload that steals developer credentials and self-propagates to other packages and repositories belonging to the compromised maintainer.

References: https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack


3. cursed-modules (npm)

Malicious package detected. Behaviors: data exfiltration, code execution, network activity, install-time execution.


4. openai-agents-helpers (npm)

Malicious package detected. Behaviors: data exfiltration, install-time execution.


5. px8my (npm)

This is an ad-injection/browser-hijacking package operated as an active campaign. The entrypoint px.js injects a fullscreen iframe overlay loading attacker-controlled content from mfmz.syndagroup.cn/H.html?c=0gjr, completely hijacking the victim browser viewport. The operational script update_px8my.sh exposes the attacker's full workflow: rotate the C2 domain in px.js, auto-increment the version, re-publish to npm, then purge jsDelivr CDN cache so the updated payload propagates to all cached consumers — a deliberate domain-rotation scheme to evade blocklists. The 25-version publish cadence over 13 days is consistent with this automated domain-rotation loop. The publisher nianpm has a 0.5 malicious ratio (sibling package zhuanhua already confirmed malicious in OSM), confirming a repeat threat actor running multiple malicious packages simultaneously.


6. ollama-helpers (npm)

Malicious package detected. Behaviors: data exfiltration, install-time execution.


7. anthropic-toolkit (npm)

This package is a developer-targeting infostealer operating under a fake 'telemetry' cover story. The postinstall script collects git user email from ~/.gitconfig, GitHub CLI credentials from ~/.config/gh/hosts.yml, committer emails from git reflog, SSH public key comments from ~/.ssh/*.pub, and cloud project identifiers, then exfiltrates all of it via HTTPS to the hardcoded C2 endpoint npm-package-logger-228835561205.europe-west1.run.app. The 'credentials are never read' disclaimer in the comments is a deliberate lie — the code reads ~/.config/gh/hosts.yml which contains GitHub OAuth tokens. The publisher 'arielsimon' has a 100% malicious ratio across all 5 other checked packages (@aspect-security/argon2, ai-sdk-helpers, ollama-helpers, openai-agents-helpers all rated critical), indicating a systematic supply chain attack campaign. The 21 versions published within ~65 seconds is classic version-spam to increase search ranking.


8. hardhat-compile-ethers (npm)

Malicious package detected. Behaviors: data exfiltration, code execution.


9. @ibrahim1337/baksen (npm)

Malicious package detected. Behaviors: obfuscated code.


10. svgson-lite (npm)

Malicious package detected. Behaviors: data exfiltration, code execution.


Want help mitigating malicious packages before they reach your network?

ShieldedStack acts as a security proxy in front of npm, PyPI, NuGet, and Maven, helping teams detect and block malicious or risky packages before they reach developer machines or CI pipelines.

Learn more: https://shieldedstack.com

Credits for the core data goes to https://opensourcemalware.com