This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries.


1. @andrewstory18/is-real-odd (npm)

Malicious package detected. Behaviors: install-time execution.


2. @injectivelabs/sdk-ts (npm)

@injectivelabs/[email protected] was compromised via a GitHub contributor account — which unverified reports indicate was hijacked — that injected malicious code into the TypeScript SDK before publication to npm. The malicious version was published on July 8, 2026 at approximately 22:59 GMT+2 and received 310 confirmed downloads before a revert was published at 23:48 GMT+2. The attacker introduced fake telemetry functionality that silently exfiltrates cryptographic material — mnemonic phrases and private key hex values — whenever developers invoke key derivation functions. This gives the attacker the ability to fully regenerate victim private keys and drain associated cryptocurrency wallets. Safe versions are 1.20.20 (prior release) and 1.20.22 or later. The package has approximately 50,000 weekly downloads and 87 dependent packages on npm, 17 of which are also part of the @injectivelabs ecosystem and pulled in v1.20.21 as a dependency.

References: https://github.com/InjectiveLabs/injective-ts/issues/697, https://socket.dev/blog/compromised-injective-sdk-npm-package


3. bingo-ai (pypi)

This package is described as a Red Teaming tool and that's what it appears to be. As such it includes many malicious payloads. We are flagging it as an "informational" as you would only want to install this as a offensive security professional. If you see this downloaded into your environment outside of that context, you should probably alert your security team.


4. jscrambler (npm)

Multiple versions of the jscrambler npm package were trojanized via compromised npm publishing credentials and published on July 11, 2026. Jscrambler confirmed the unauthorized publication in a security advisory the same day, noting that detection occurred within seconds due to unexpected maintainer notifications. The malicious versions execute a native binary dropper at install time via a preinstall lifecycle hook. The dropper writes platform-specific Rust-compiled binaries to a randomly-named hidden temporary file and launches them as a detached subprocess with suppressed output. The payload fingerprints the environment by probing cloud metadata endpoints and checking for Tor exit node status before proceeding. Versions 8.14.0, 8.16.0, 8.17.0, and 8.20.0 are confirmed affected per Jscrambler's advisory and have been deprecated on npm. Version 8.18.0 is additionally flagged as malicious by independent third-party analysis in the GitHub issue thread: the attacker removed the preinstall hook and moved the dropper directly into dist/index.js and dist/bin/jscrambler.js, causing it to fire at require() time rather than install time — evading the most common supply chain scanning heuristic. As of the time of this report, Jscrambler has not deprecated 8.18.0 on npm and has not responded to the third-party claim in the GitHub issue. Version 8.22.0 is confirmed safe. Only Jscrambler's Code Integrity product is affected — Webpage Integrity and other products were not impacted.

References: https://jscrambler.com/blog/security-advisory-malicious-npm-package, https://github.com/jscrambler/jscrambler/issues/323, https://socket.dev/blog/jscrambler-supply-chain-attack


5. creditcard.js (npm)

Malicious npm package 'creditcard.js' compromised in the Miasma / Mini Shai-Hulud supply-chain worm campaign (Socket). The affected version(s) were published with a worm payload that steals developer credentials and self-propagates to other packages and repositories belonging to the compromised maintainer.

References: https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack


6. paperclip-adapter-helpers (npm)

Malicious package detected. Behaviors: code execution, network activity.


7. mcp-server-pg (npm)

Malicious package detected.


8. neon-terminal (npm)

Malicious package detected. Behaviors: data exfiltration, code execution, network activity.


9. paperclip-host-utils (npm)

Malicious package detected.


10. es6-codify (npm)

Malicious package detected. Behaviors: data exfiltration.


Want help mitigating malicious packages before they reach your network?

ShieldedStack acts as a security proxy in front of npm, PyPI, NuGet, and Maven, helping teams detect and block malicious or risky packages before they reach developer machines or CI pipelines.

Learn more: https://shieldedstack.com

Credits for the core data goes to https://opensourcemalware.com