Welcome to the latest edition of the Xygeni Malicious Code Digest (Monthly edition), where our security researchers bring you the latest discoveries of malicious packages in software registries.
This month, our teams have been hard at work identifying and blocking threats to ensure the security of our customers’ software supply chain. Over the past few weeks, we uncovered and reported a significant number of malicious packages infiltrating various open-source component registries. These findings highlight the ongoing vulnerabilities and the critical need for robust security measures.
In October 2024, we confirmed a total of over 335 malicious packages across multiple registries. This includes a range of threats from data exfiltration and typosquatting to dependency confusion attacks. Here’s a detailed breakdown of our findings throughout the month:
Week 5: Over 80 Packages Discovered
Key Findings:
- NPM Package:
- (npm) @service-and-repairs/awpintegrationlib:20.0.1
- blossom-flex-ui:99.99.90
- cli-wasm:1.0.1
- eslint-config-ezugi:1.0.1
- eslint-config-ezugi:14.0.0
- eslint-plugin-evo:1.0.0
- eslint-plugin-evo:13.0.0
- eslint-plugin-no-unsafe:0.0.5
- native-module2:100.0.0
- native-module2:100.0.2
- nuxtjs_style_resources:1.0.0
- oneui-angular:99.99.99
- oneui.angular:99.99.99
- orb-sync-lib:1.0.0
- orb-sync-lib:100.0.0
- orb-sync-lib:100.0.1
- req-scopes:3.4.1
- roboter:15.0.0
- roboter:2.0.2
- sachinkrhackeronetestpackage:1.0.0
- se-testing:1.0.0
- se-testing:14.0.0
- semantic-release-commit-rules:1.0.0
- ui-tooltip:1.1.2
- ui-tooltip:1.1.3
- wpdesigndev.wp.agoda.com:100.0.5
- xk6-toml:3.0.0
- (npm) @client-innovation/librct:0.100.0
- (npm) @hellotry2/goutils:0.0.1
- (npm) @platform-ui-kit/components-library-react:9.9.1
- (npm) @rcd-pro/vue3:10.10.10
- (npm) @saleswhale/barnacle:1.5.7
- (npm) axum-live-view:1.0.0
- (npm) bababababa:1.1.2
- (npm) bloxbootstrap:1.0.0
- (npm) buildkit-discourse-integration:1.0.1
- (npm) celtra-auto-exporter:1.0.1
- (npm) cms-core-redux:9.9.10
- (npm) cms-hpti-components:9.9.10
- (npm) cms-ti-components:9.9.10
- (npm) cms-utilities:9.9.10
- (npm) custom-ui-extension-template:1.0.1
- (npm) directv:1.1.0
- (npm) dragonhack-workshop:1.0.1
- (npm) dropbox-capture-sdk:10.10.10
- (npm) emburse:1.0.2
- (npm) git-commit-message-convention:1.0.0
- (npm) hosted-buttons:1.0.2
- (npm) itminepack101:1.0.1
- (npm) mmpp:1.0.2
- (npm) myvaroniswebapp:100.0.6
- (npm) ohcm-polymerase:10.0.10
- (npm) ohcm-polymerase:10.0.5
- (npm) plain-headless-portal:1.0.1
- (npm) prismjs-editor-v1:1.0.0
- (npm) relativity-design-system:1.0.1
- (npm) relay-github-root:100.0.2
- (npm) ro.dll:1.0.0
- (npm) roblox-creator-docs:100.0.2
- (npm) roblox.dll:1.0.0
- (npm) robloxbootstrapper:1.0.0
- (npm) sdk-interface:10.0.2
- (npm) shasha487:1.1.3
- (npm) snowday:200.0.1
- (npm) strengthify101:1.0.0
- (npm) tatatata:1.2.3
- (npm) test-evil-pkg-reverse:1.0.0
- (npm) test-evil-pkg-reverse:1.0.1
- (npm) test-package2345:1.0.0
- (npm) timeline-airtable:7.0.4
- (npm) timeline-airtable:7.1.9
- (npm) timeline-airtable:7.3.9
- (npm) timeline-airtable:7.5.9
- (npm) timeline-airtable:9.5.9
- (npm) viajemos:2.0.8
- (npm) viajemos:2.1.1
- (npm) viajemos:2.1.2
- (npm) webhooks-resources-nodejs-server:1.0.1
- (npm) wpdesigndev.wp.agoda.com:108.0.0
- PyPi Package:
- (pypi) python-drgn-commons-all:99.99.99
- (pypi) python-drgn-commons-kafka:99.99.99
- (pypi) python-drgn-commons-metrics:99.99.99
- (pypi) python-drgn-commons-notebooks:99.99.99
- (pypi) python-drgn-commons-pandas:99.99.99
- (pypi) python-drgn-commons-spark:99.99.99
Week 4: Over 70 Packages Discovered
Key Findings:
- NPM Package:
- (npm) @client-innovation/librct:0.100.0
- (npm) @hellotry2/goutils:0.0.1
- (npm) @rcd-pro/vue3:10.10.10
- (npm) @saleswhale/barnacle:1.5.7
- (npm) @ua-digital-commerce/beacon-bridge:10.10.10
- (npm) check-codeowners:99.99.99
- (npm) csm-docs:100.0.1
- (npm) dexter-angular-app:1.0.0
- (npm) direct_access_theme:1.0.0
- (npm) dropbox-capture-sdk:10.10.10
- (npm) electron_npm_deps:400.0.0
- (npm) emburse:1.0.2
- (npm) eslint-config-bc:100.0.0
- (npm) eslint-plugin-no-unsafe:0.0.5
- (npm) f3rb:6.4.2
- (npm) freshchange:1.0.0
- (npm) git-commit-message-convention:1.0.0
- (npm) golden-gates:99.99.99
- (npm) itminepack101:1.0.0
- (npm) itminepack101:1.0.1
- (npm) kbc-ui.templates:0.1.1
- (npm) lessc-rhino:2.7.3
- (npm) lcnc-app:3.5.3
- (npm) lcnc-app:3.5.5
- (npm) metadata-attacher:0.1.0
- (npm) nf-gestures:0.1.1
- (npm) omahaoffice:1.0.0
- (npm) omise-example:9.5.9
- (npm) owasp-aasvs-to-readthedocs:1.0.0
- (npm) pd-py-cli:99.99.99
- (npm) platform-harness-ecr-configmap:99.99.99
- (npm) python-drgn-commons-all:99.99.99
- (npm) python-drgn-commons-kafka:99.99.99
- (npm) python-drgn-commons-metrics:99.99.99
- (npm) python-drgn-commons-notebooks:99.99.99
- (npm) python-drgn-commons-pandas:99.99.99
- (npm) python-drgn-commons-spark:99.99.99
- (npm) relay-github-root:100.0.2
- (npm) relativity-design-system:1.0.1
- (npm) roblox-creator-docs:100.0.2
- (npm) ro.dll:1.0.0
- (npm) seriously-common:10.10.10
- (npm) shopmacher-mollie-processor:1.1.2
- (npm) sn-flow-client:10.10.10
- (npm) snowday:200.0.1
- (npm) strengthify101:1.0.0
- (npm) sumo-py-cli:99.99.99
- (npm) terraformness:99.99.99
- (npm) timeline-airtable:7.0.4
- (npm) timeline-airtable:7.1.9
- (npm) timeline-airtable:7.3.9
- (npm) timeline-airtable:7.5.9
- (npm) timeline-airtable:9.5.9
- (npm) unity-uikit:0.2.0
- (npm) viajemos:2.0.8
- (npm) viajemos:2.1.1
- (npm) viajemos:2.1.2
- (npm) @service-and-repairs/awpintegrationlib:20.0.1
- (npm) cli-wasm:1.0.1
- (npm) eslint-config-bc:100.0.0
- (npm) gather-stats-testing:1.1.0
- (npm) lessc-rhino:2.7.3
- (npm) lcnc-app:3.5.3
- (npm) lcnc-app:3.5.5
- (npm) module-with-node-gyp:1.0.0
- (npm) module-with-prebuild:2.0.0
- (npm) nuxtjs_style_resources:1.0.0
- (npm) sachinkrhackeronetestpackage:1.0.0
- (npm) semantic-release-commit-rules:1.0.0
- (npm) xk6-toml:3.0.0
- PyPi Package:
- (pypi) appsec-script-py:99.99.99
- (pypi) check-codeowners:99.99.99
- (pypi) security-automation-job:99.99.99
Week 3: Over 30 Packages Discovered
Key Findings:
- NPM Packages:
- (npm) @cdh-data-portal-theme/build:20.0.1
- (npm) @copilot-web-widgets/ai-writer:1.11.0
- (npm) @copilot-web-widgets/common-core-sdk:1.11.0
- (npm) @copilot-web-widgets/common-core-sdk:1.8.0
- (npm) @platform-ui-kit/components-library-react:9.9.4
- (npm) native-module2:100.0.0
- (npm) native-module2:100.0.2
- (npm) test-automation-testing:100.0.0
- (npm) test-automation-testing:100.0.1
- (npm) @cdh-data-portal-theme/build:20.0.0
- (npm) @copilot-web-widgets/ai-writer:1.14.0
- (npm) @copilot-web-widgets/ai-writer:60.0.0
- (npm) @copilot-web-widgets/common-core-sdk:1.20.0
- (npm) @copilot-web-widgets/common-core-sdk:2.100.0
- (npm) @copilot-web-widgets/common-core-sdk:60.0.0
- (npm) @safecorp/one-ui:10.10.10
- (npm) @service-and-repairs/awpintegrationlib:20.0.0
- (npm) @wame/blue-oval-theme:16.10.10
- (npm) blank-fe:0.0.1
- (npm) hdhh.hiijack:2.0.0
- (npm) huggingface-vscode:100.2.2
- (npm) jifa-frontend:9.5.9
- (npm) mmpp:1.0.2
- (npm) monday-react-quickstart-app:200.0.2
- (npm) omise-example:9.5.9
- (npm) relay-github-root:100.0.2
- (npm) timeline-airtable:7.0.4
- (npm) timeline-airtable:7.1.9
- (npm) timeline-airtable:7.3.9
- (npm) timeline-airtable:7.5.9
- (npm) timeline-airtable:9.5.9
Week 2: Over 50 Packages Discovered
Key Findings:
- NPM Packages:
- (npm) @cawraytestorg/packagetest2:9.9.9
- (npm) @energysolutions/mylib:99.9.9
- (npm) @energysolutions/mylib:9998.998.998
- (npm) @energysolutions/mylib:9998.999.998
- (npm) @energysolutions/mylib:9998.999.999
- (npm) @energysolutions/mylib:999999999.999999.999999
- (npm) @test3.svt/first-npm-package-test-2:1.0.2
- (npm) @test3.svt/first-npm-package-test-2:1.0.3
- (npm) bcoin-full:2.0.0
- (npm) bolteu:8.0.0
- (npm) bolteu:8.1.0
- (npm) bolteu:8.3.0
- (npm) discord-api-docs:1.1.2
- (npm) djangopeople:3.3.3
- (npm) djangosnippets:9.9.9
- (npm) fccui:7.0.0
- (npm) font-lato-2-subset:0.4.1
- (npm) getsafe-interview:1.1.0
- (npm) hilla-components-dependencies:1.1.0
- (npm) linear-airbyte-source:9.9.9
- (npm) linear-airbyte-source:9.9.10
- (npm) numeral-light:1.1.0
- (npm) spiffe.io:9.10.0
- (npm) vention-quest:1.1.0
- (npm) visionmedia-debug:3.1.0
- (npm) vue-assignment:0.1.1
- (npm) whatnot_seller_api_docs:102.0.0
- (npm) backend-engineering-test:1.0.0
- (npm) bigcommerce-monit:55.55.56
- (npm) blockpi:1.0.0
- (npm) branch-design-system:2.0.0
- (npm) d11-conventional-jira-changelog:1.0.0
- (npm) evermade-bare-theme:1.0.1
- (npm) hulululu:1.0.0
- (npm) m-typescript:1.0.0
- (npm) m-typescript:1.999.0
- (npm) m-typescript:6.0.0
- (npm) m-typescript:6.0.1
- (npm) monorepo-releaser:100.0.0
- (npm) no-typescript:1.0.0
- (npm) o-typescript:1.0.0
- (npm) openai-examples:1.1.0
- (npm) orderly-evm-crosschain:1.0.0
- (npm) replaceable-media-recorder:1.0.9
- (npm) smtp2go:1.0.1
- (npm) tannucolingboys:99.0.0
- (npm) uploadcare-ckeditor:4.0.1
- PyPi Packages:
- (pypi) maxpatrol:7.0.6
- (pypi) ptsecurity:7.0.6
Week 1: Over 100 Packages Discovered
Key Findings:
- NPM Packages:
- (npm) @helvetia-italia/ng-selly-components:10.20.39
- (npm) @helvetia-italia/ng-selly-lib-operator-dashboard:10.20.37
- (npm) agoda-design-toolkit-2:1.0.1
- (npm) agoda-design-toolkit-2:10.0.0
- (npm) agoda-design-toolkit-2:10.0.1
- (npm) annotation-app:9.9.1
- (npm) apollo-client-error-template:2.0.0
- (npm) b2b-buyer-portal:55.55.58
- (npm) backend-engineering-test:1.0.0
- (npm) bc-loading:2.5.1
- (npm) braintree_express_example:1.0.0
- (npm) braintree.github.io:9.9.1
- (npm) branch-extension:1.0.0
- (npm) buy-sell-opensea-sdk-demo:1.0.0
- (npm) defillama-apy-server:1.0.0
- (npm) eslint-config-b2b:999.9.91
- (npm) kupo-app-secure-store-plugin:99.0.0
- (npm) kupo-app-secure-store-plugin:99.1.0
- (npm) language-rego:1.0.0
- (npm) makebetteremail:1.0.0
- (npm) multiply-proxy-actions-contracts:0.1.0
- (npm) nanoslackts-env-test:1.0.0
- (npm) o-layout:10.20.20
- (npm) openai-bun-test:1.0.0
- (npm) prismjs-editor-v2:2.0.2
- (npm) react-experimental-builtin:4.1.2
- (npm) sae-viewer:10.0.0
- (npm) sae-viewer:10.0.1
- (npm) sae-viewer:9.9.2
- (npm) sbm-react-native-sample:1.5.0
- (npm) setup-specmatic:2.0.0
- (npm) svelte-hms-world:1.0.0
- (npm) synthetics-sdk-mocha:99.0.0
- (npm) uchiwa:1.0.0
- (npm) web3-austt:4.1.2
- (npm) whatnot_seller_api_docs:100.5.6
- (npm) @facetca/calculator:3.0.0
- (npm) @facetca/facet-mmleditor:3.0.4
- (npm) @facetca/facet-ruler:3.0.0
- (npm) @facetca/facet-wysiwyg-editor:2.0.0
- (npm) @helvetia-italia/ng-selly-components:10.30.40
- (npm) @helvetia-italia/ng-selly-components:20.30.30
- (npm) @plentyofcode/header-bidding-adslot:2.0.34
- (npm) @plentyofcode/header-bidding-adslot:2.0.35
- (npm) aou-ui:0.0.3
- (npm) aou-ui:0.0.5
- (npm) atomic-swap:1.0.4
- (npm) audaces-perps-rest-server:1.0.0
- (npm) aws-genai-llm-chatbot:5.0.0
- (npm) briefer:0.0.29
- (npm) client-ws-app:6.0.0
- (npm) com.lootlocker.lootlockersdk:1.1.1
- (npm) csm-installation-wizard:2.1.5
- (npm) document-sample:0.0.0
- (npm) ens-austt:4.1.2
- (npm) espace-membre:0.3.3
- (npm) eth-austt:4.1.2
- (npm) facet-mmleditor:3.0.3
- (npm) fdx-mock-app:1.1.2
- (npm) finaustt:4.1.2
- (npm) inclusive-ai-dao-website:300.0.0
- (npm) inclusive-ai-dao-website:400.0.0
- (npm) inclusive-ai-dao-website:700.0.0
- (npm) interactive-app:100.0.0
- (npm) jquery-ui-smoothness:1.11.2
- (npm) js-austt:4.1.2
- (npm) jsmaterialx:1.38.10
- (npm) jsmaterialx:1.38.7
- (npm) just-the-docs:1.0.0
- (npm) kubeman:1.0.0
- (npm) kupo-capacitor-statusbar-safe-area:9.0.0
- (npm) meraki-react-router:1.0.0
- (npm) meraki-react-router:100.0.0
- (npm) meraki-react-router:300.0.0
- (npm) nodedum:1.0.0
- (npm) o-forms:10.20.10
- (npm) o-layout:10.20.23
- (npm) o-typography:10.10.11
- (npm) pagegraph-crawl:2.0.0
- (npm) papercut-ui:99.99.99
- (npm) peb_portal:100.0.1
- (npm) peb_portal:102.0.0
- (npm) pod-financier-app:1.0.0
- (npm) prismjs-editor-v2:1.0.0
- (npm) prismjs-editor-v2:2.0.0
- (npm) prismjs-editor-v2:2.0.1
- (npm) prismjs-editor-v2:2.0.3
- (npm) prismjs-editor-v2:2.0.4
- (npm) radiant-interfaces:1.0.0
- (npm) sdk-sanity-generator:10.0.0
- (npm) should_be_whitelisted.js:10.0.0
- (npm) site-national-covoiturage:3.0.0
- (npm) site-national-covoiturage:3.0.3
- (npm) speech-to-speech-demo:0.1.1
- (npm) steampipe-reports:0.0.0
- (npm) thirdweb-eats:0.1.0
- (npm) transferwise-iconfont:2.0.0
- (npm) tsclient.engage.aperture:10.10.10
- (npm) whatnot_seller_api_docs:100.5.10
- (npm) whatnot_seller_api_docs:100.5.20
- (npm) whatnot_seller_api_docs:102.0.0
- (npm) wpdesigndev.wp.agoda.com:100.0.9
- (npm) wpdesigndev.wp.agoda.com:108.0.0
Secure Your Open Source Dependencies against Vulnerabilities and Malicious Code
Minimize risks and protect your applications from malicious packages with Xygeni Early Malware Detection. Prioritize and address the vulnerabilities that matter most. Our comprehensive solution offers real-time monitoring of your dependencies to detect and mitigate threats before they impact your software.
Managing open-source components in the current software development landscape is crucial due to the rising vulnerabilities and malicious code threats. Xygeni’s Open Source Security solution scans and blocks harmful packages upon publication, dramatically minimizing the risk of malware and vulnerabilities infiltrating your systems. Our comprehensive monitoring spans multiple public registries, ensuring all dependencies are scrutinized for safety and integrity. Xygeni enhances your team’s ability to maintain secure and reliable software projects by contextually prioritizing critical issues and facilitating streamlined remediation processes.
