This weekly list covers the ten most significant malicious or compromised packages recently observed in public registries.
1. events-channel (npm)
- Package: https://www.npmjs.com/package/events-channel
- Severity: critical
- Affected versions: all
- Downloads: 39778
- First seen: 25 May 2026 at 16:42 UTC
Sophisticated npm typosquatting supply chain attack combining fake 15-year git history forgery with cryptocurrency theft malware. Attacker created throwaway account 'tamekacooke21' on 2026-04-23, generated fabricated git history spanning 2011-2026 in just 28 minutes, and distributed malware through npm package 'events-channel' that mimics the popular Node.js 'events' module. Git forensics analysis reveals massive timestamp discrepancy between claimed commit dates (2011-2026) and actual repository push time (2026-04-23T16:10:34Z), indicating sophisticated history rewriting attack designed to establish false legitimacy.
2. dev-env-bootstrapper (npm)
- Package: https://www.npmjs.com/package/dev-env-bootstrapper
- Severity: high
- Affected versions: all
- Downloads: 3598
- First seen: 24 May 2026 at 21:39 UTC
This package is part of a large scale software supply chain attack that targeted pypi, NPM and Crates.io (Rust) packages. This attack has been dubbed "TrapDoor".
The package executes a shared credential-stealing payload that exfiltrates SSH keys, AWS/GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos) to attacker infrastructure at ddjidd564.github.io, and plants persistence via shell hooks, systemd, cron, and AI-assistant config files (.cursorrules, CLAUDE.md).
3. heims (pypi)
- Package: https://pypi.org/project/heims/
- Severity: high
- Affected versions: all
- Downloads: 3575
- First seen: 26 May 2026 at 06:31 UTC
The package's WechatUtil.gettoken() in src/heims/utils/wechat/wechatutil.py hardcodes a POST to https://token.zhangjianpeng.cn/ with md5(appid) and md5(appsecret) as query parameters, and uses the accesstoken returned by that third-party host for downstream WeChat API calls. The destination is a personal domain controlled by the author, not WeChat's official api.weixin.qq.com endpoint, and this third-party broker is not disclosed in the README. Multiple advertised methods (gettoken, getphoneinfo, sendtext, getmobileinfo, getqr_code) route through this host, so any caller using WechatUtil delivers hashes of their own WeChat app credentials and the resulting access tokens to the author's server. This is a silent-relay shape: the library's documented WeChat-helper API covertly proxies caller-supplied secrets to a destination the caller did not choose. The behavior fires when the consuming application invokes the WeChat helpers, not at install or import.
4. @exocore/exocode (npm)
- Package: https://www.npmjs.com/package/@exocore/exocode
- Severity: critical
- Affected versions: all versions
- Downloads: 3337
- First seen: 25 May 2026 at 00:59 UTC
Steals ANTHROPIC API KEY, SSH private keys (.ssh/idrsa), wallet seed files, and cloud credentials by probing AWS IMDS (169.254.169.254) and GCP metadata server (metadata.google.internal) at install time, then enumerates AWS and GCP identities via STS GetCallerIdentity and cloudresourcemanager.googleapis.com. A 22MB obfuscated bundle executes in a detached background process for persistence, injects stub modules for @ant/computer-use-mcp and related Anthropic packages into nodemodules/, and fetches staged payloads from an attacker-controlled GCS bucket (exocode-dist-86c565f3-f756-42ad-8dfa-d59b1c096819) and downloads.exocore.ai. The preinstall hook wipes the npm cache to destroy forensic evidence before execution.
References: https://www.npmjs.com/package/@exocore/exocode
5. async-pipeline-builder (npm)
- Package: https://www.npmjs.com/package/async-pipeline-builder
- Severity: critical
- Affected versions: all
- Downloads: 3179
- First seen: 24 May 2026 at 21:33 UTC
This package is part of a large scale software supply chain attack that targeted pypi, NPM and Crates.io (Rust) packages. This attack has been dubbed "TrapDoor".
The package executes a shared credential-stealing payload that exfiltrates SSH keys, AWS/GitHub tokens, browser data, and crypto wallets (Solana, Sui, Aptos) to attacker infrastructure at ddjidd564.github.io, and plants persistence via shell hooks, systemd, cron, and AI-assistant config files (.cursorrules, CLAUDE.md).
6. edison-tools (pypi)
- Package: https://pypi.org/project/edison-tools/
- Severity: critical
- Affected versions: all
- Downloads: 2832
- First seen: 26 May 2026 at 06:30 UTC
Malicious package detected. Behaviors: data exfiltration.
7. aes-decode-runner-pro (npm)
- Package: https://www.npmjs.com/package/aes-decode-runner-pro
- Severity: high
- Affected versions: 1.0.10
- Downloads: 1550
- First seen: 28 May 2026 at 07:28 UTC
Malicious package detected. Behaviors: code execution, obfuscated code.
8. apple-mycelium-fix (npm)
- Package: https://www.npmjs.com/package/apple-mycelium-fix
- Severity: critical
- Affected versions: all
- Downloads: 1463
- First seen: 27 May 2026 at 12:14 UTC
Suspected dependency confusion attack. Behaviors: data exfiltration, code execution, install-time execution.
9. pywingui (pypi)
- Package: https://pypi.org/project/pywingui/
- Severity: high
- Affected versions: 6.0.2
- Downloads: 1330
- First seen: 27 May 2026 at 08:12 UTC
Malicious package detected.
10. vxui-react (npm)
- Package: https://www.npmjs.com/package/vxui-react
- Severity: high
- Affected versions: 1.3.6
- Downloads: 996
- First seen: 28 May 2026 at 07:18 UTC
Malicious package detected. Behaviors: data exfiltration, code execution, obfuscated code.
Want help mitigating malicious packages before they reach your network?
ShieldedStack acts as a security proxy in front of npm, PyPI, NuGet, and Maven, helping teams detect and block malicious or risky packages before they reach developer machines or CI pipelines.
Learn more: https://shieldedstack.com