This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries.

1. durabletask (pypi)

TeamPCP compromised a legitimate PyPI contributor and published three malicious versions of durabletask (1.4.1, 1.4.2, 1.4.3) to PyPI — a Python package implementing Microsoft Azure's Durable Task Framework, used in cloud automation and CI/CD workflows.

References: https://www.aikido.dev/blog/durabletask-package-compromised-mini-shai-hulud

2. art-template (npm)

Compromised npm package art-template (versions 4.13.3-4.13.6) published by unauthorized maintainers after takeover of the original maintainer account. Last clean version is 4.13.2 (Nov 2018). Compromised versions inject a browser-side loader into the UMD bundle (lib/template-web.js) that fetches a multi-stage iOS browser exploit kit targeting iPhone visitors. Exploits CVE-2024-23222 plus 22 additional iOS vulnerabilities (iOS 13.0-17.2.1) for zero-click native code execution, ultimately delivering the PLASMAGRID cryptocurrency wallet implant. ~26,000 weekly downloads affected.

3. @antv/x6-geometry (npm)

This package was republished without maintainer authorization during a large-scale account takeover of the npm publisher account atool, attributed to the threat actor TeamPCP. On 2026-05-19 the atool account -- which owns 547 packages including the entire AntV (Alibaba) data-visualization suite -- pushed new versions of 300+ packages in two tightly clustered publish waves across many unrelated source repositories. This signature matches an automated npm publish loop running against a stolen publishing credential, and the republished tarballs beacon to attacker-controlled C2 infrastructure disguised as an OpenTelemetry trace collector. Any version of this package published on or after 2026-05-19T01:39:31Z must be treated as compromised.

References: https://opensourcemalware.com/blog/teampcp-compromises-npm-maintainer-with-over-540-packages, https://socket.dev/blog/antv-packages-compromised

4. @antv/f2 (npm)

This package was republished without maintainer authorization during a large-scale account takeover of the npm publisher account atool, attributed to the threat actor TeamPCP. On 2026-05-19 the atool account -- which owns 547 packages including the entire AntV (Alibaba) data-visualization suite -- pushed new versions of 300+ packages in two tightly clustered publish waves across many unrelated source repositories. This signature matches an automated npm publish loop running against a stolen publishing credential, and the republished tarballs beacon to attacker-controlled C2 infrastructure disguised as an OpenTelemetry trace collector. Any version of this package published on or after 2026-05-19T01:39:31Z must be treated as compromised.

References: https://opensourcemalware.com/blog/teampcp-compromises-npm-maintainer-with-over-540-packages, https://socket.dev/blog/antv-packages-compromised

5. drydock-cli (pypi)

[osmalyze-auto] Malicious package detected. Behaviors: data exfiltration, code execution, network activity.

6. uri-parse (npm)

This package was republished without maintainer authorization during a large-scale account takeover of the npm publisher account atool, attributed to the threat actor TeamPCP. On 2026-05-19 the atool account -- which owns 547 packages including the entire AntV (Alibaba) data-visualization suite -- pushed new versions of 300+ packages in two tightly clustered publish waves across many unrelated source repositories. This signature matches an automated npm publish loop running against a stolen publishing credential, and the republished tarballs beacon to attacker-controlled C2 infrastructure disguised as an OpenTelemetry trace collector. Any version of this package published on or after 2026-05-19T01:39:31Z must be treated as compromised.

References: https://opensourcemalware.com/blog/teampcp-compromises-npm-maintainer-with-over-540-packages, https://socket.dev/blog/antv-packages-compromised

7. @tiledesk/tiledesk-server (npm)

[osmalyze-auto] APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code, install-time execution.

8. openclaw-cn (npm)

This package was compromised during the 2026-05-19 "Mini Shai-Hulud" npm supply-chain campaign that began with the takeover of the atool maintainer account (the AntV / TeamPCP compromise). The injected payload contains worm-like npm-propagation logic: it validates any npm tokens it harvests, enumerates packages the token owner can publish, injects itself, and republishes them. This package belongs to a secondary maintainer account reached by that propagation, not to atool directly. The republished tarballs carry the same Mini Shai-Hulud payload and beacon to the same C2 infrastructure. Any version of this package published on 2026-05-19 must be treated as compromised.

References: https://opensourcemalware.com/blog/teampcp-compromises-npm-maintainer-with-over-540-packages, https://socket.dev/blog/antv-packages-compromised

9. @exocore/exocode (npm)

Steals ANTHROPICAPIKEY, SSH private keys (.ssh/idrsa), wallet seed files, and cloud credentials by probing AWS IMDS (169.254.169.254) and GCP metadata server (metadata.google.internal) at install time, then enumerates AWS and GCP identities via STS GetCallerIdentity and cloudresourcemanager.googleapis.com. A 22MB obfuscated bundle executes in a detached background process for persistence, injects stub modules for @ant/computer-use-mcp and related Anthropic packages into nodemodules/, and fetches staged payloads from an attacker-controlled GCS bucket (exocode-dist-86c565f3-f756-42ad-8dfa-d59b1c096819) and downloads.exocore.ai. The preinstall hook wipes the npm cache to destroy forensic evidence before execution.

References: https://www.npmjs.com/package/@exocore/exocode

10. async-pipeline-builder (npm)

This package is part of a large scale software supply chain attack that targeted pypi, NPM and Crates.io (Rust) packages. This attack has been dubbed "TrapDoor".

The package executes a shared credential-stealing payload that exfiltrates SSH keys, AWS/GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos) to attacker infrastructure at ddjidd564.github.io, and plants persistence via shell hooks, systemd, cron, and AI-assistant config files (.cursorrules, CLAUDE.md).

Want help mitigating malicious packages before they reach your network?

ShieldedStack acts as a security proxy in front of npm, PyPI, NuGet, and Maven, helping teams detect and block malicious or risky packages before they reach developer machines or CI pipelines.

Learn more: https://shieldedstack.com