Try Free      
Book a Demo
MALICIOUS CODE

Xygeni Malicious Code Digest 47

  • Last Updated: October 28, 2025

Table of Contents

Must-Read posts

Latest posts of interest

Every week, our malware detection systems scan thousands of new and updated packages across public registries like npm and PyPI. This time, we confirmed over 124 malicious packages, ranging from typosquatting and credential stealers to backdoored libraries designed to slip past basic scanners.

This weekly snapshot is part of our ongoing Malicious Code Digest, where we publish continuous findings, confirm emerging threats, and help DevSecOps teams protect their pipelines before damage is done. If you want full context across all confirmed packages and past incidents, be sure to check the full digest.

Let’s break down what we found this week and why it matters.

Ecosystem Package Link Date
npmdhemrdhs92004:1.250607.11941Issue #19760Oct 24, 2025
npmdhemrdhs92004:1.250607.11953Issue #19761Oct 24, 2025
npmdhemrdhs92004:1.250607.12009Issue #19762Oct 24, 2025
npmporscheofficial:2.9.9Issue #27343Oct 24, 2025
npm@web-ib/chevre:9000.0.0Issue #27711Oct 20, 2025
npm@conotion/cli:0.1.0-beta.2Issue #27718Oct 20, 2025
pypitikweb:1.0.4Issue #28103Oct 20, 2025
npmtchap-landing-page:7.0.4Issue #29375Oct 23, 2025
npmflight-debug:99.99.1Issue #28411Oct 20, 2025
npmpark-boost-v1:1.0.1Issue #28481Oct 21, 2025
npmeslint-plugin-react-discord:9.0.3Issue #28503Oct 21, 2025
npmab-testing-for-wp:1.18.3Issue #28530Oct 21, 2025
npmsuperbet-icons:9.9.22Issue #28534Oct 24, 2025
npmvue-analytics-plugin:9.9.20Issue #28535Oct 24, 2025
npmvue-analytics-plugin:9.9.21Issue #28537Oct 24, 2025
npmbaidu-tims:1.0.1Issue #28553Oct 24, 2025
npmbaidu-tims:1.0.2Issue #28554Oct 24, 2025
pypibach-news-bigdata-mcp:1.0.0Issue #28557Oct 20, 2025
npmbackend-template-js:1.0.0Issue #28672Oct 24, 2025
npm@jayandudakiya/backend-boilerplate-js:1.0.0Issue #28673Oct 24, 2025
npmbackend-boilerplate-js:1.0.0Issue #28674Oct 24, 2025
npmenjin-docs:8.0.0Issue #28770Oct 24, 2025
npmenjin-docs:9.0.0Issue #28771Oct 24, 2025
npmenjin-docs:7.0.0Issue #28772Oct 24, 2025
npmhyperion-react-native:1337.0.0Issue #28778Oct 20, 2025
npmcreate-be-boilerplate:1.0.1Issue #28852Oct 24, 2025
npm@nunes_nunes/loader-base:0.1.0Issue #28858Oct 20, 2025
npmtimes-new-mcp-server:1.0.0Issue #28868Oct 20, 2025
npmreact-medias:1.1.4Issue #28869Oct 22, 2025
npmec-component-loader:0.1.0Issue #28870Oct 20, 2025
npmec-component-loader:1.3.1Issue #28871Oct 20, 2025
npmec-component-loader:1.3.2Issue #28872Oct 20, 2025
npm@patterninc/react-ui:5.0.2Issue #28878Oct 21, 2025
npmmui-themes-extand:3.0.3Issue #28894Oct 21, 2025
npm@jirikobelka/server-closedloop:1.0.0Issue #28899Oct 21, 2025
npmclosedloop-mcp-server:1.0.0Issue #28900Oct 20, 2025
npmhelosifjowe2342:8.0.5Issue #28906Oct 20, 2025
npmsrc_components_qcreport_index_tsx:6.8.5Issue #28908Oct 20, 2025
npmtailwind-config-view:1.0.3Issue #28910Oct 21, 2025
npm@agent-velo/era:0.0.20Issue #28917Oct 21, 2025
npm@ledgerhq/live-common:34.52.0-nightly.0Issue #28918Oct 21, 2025
npmagentmono:1.0.0Issue #28919Oct 20, 2025
npmrainbowkit-next-app:1.0.0Issue #28921Oct 20, 2025
npm@ixuxoinzo/xchain-sdk:2.0.0Issue #28924Oct 21, 2025
npmonairos:3.5.2Issue #28927Oct 21, 2025
npmsrc_module_index_ts:8.2.0Issue #28940Oct 20, 2025
npmsrc_plugin_index_ts:6.2.0Issue #28941Oct 20, 2025
npmsrc_bootstrap_index_ts:7.0.5Issue #28944Oct 20, 2025
npm@agent-velo/era:0.0.21Issue #28953Oct 21, 2025
npm@agent-velo/era:0.0.22Issue #28958Oct 21, 2025
npm@agent-velo/era:0.1.0Issue #28959Oct 21, 2025
npmiwf-ant-design-draggable-modal:1.1.9Issue #28972Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.10Issue #28973Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.11Issue #28975Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.12Issue #28976Oct 24, 2025
npmmoloch:2.0.0Issue #28979Oct 20, 2025
npmai-protocol:3.0.0Issue #28982Oct 20, 2025
npmcpilot-coding-assistant:1.0.7Issue #28988Oct 21, 2025
npmstencyption:1.0.4Issue #28989Oct 21, 2025
npmsaifulhhacker.site-test:1.199.0Issue #28990Oct 20, 2025
npmsaifulhhacker.site-test:1.299.0Issue #28991Oct 20, 2025
npmsaifulhhacker.site-test:1.399.0Issue #28992Oct 20, 2025
npm@shopify.com/shopifyql-parser:3.999.9Issue #28994Oct 20, 2025
npmcircleci-docs:1.0.0Issue #28996Oct 20, 2025
npmiwf-ant-design-draggable-modal:1.1.13Issue #28998Oct 24, 2025
npm@adobe/helix-rum-js:2.13.6Issue #29000Oct 21, 2025
npmcpilot-coding:0.0.2Issue #29002Oct 21, 2025
npmqwen-code-core-main:0.0.1Issue #29003Oct 21, 2025
npmiwf-ant-design-draggable-modal:1.1.14Issue #29004Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.15Issue #29006Oct 24, 2025
npmqwen-code-core-main:0.0.2Issue #29007Oct 21, 2025
npm@underpostnet/underpost:2.85.0Issue #29008Oct 21, 2025
npmqwen-code-core-master:0.0.1Issue #29009Oct 21, 2025
npm@probelabs/probe:0.6.0-rc146Issue #29011Oct 21, 2025
npmnabladown.js:4.0.1Issue #29013Oct 21, 2025
npmrootsid:1000.99.999Issue #29052Oct 20, 2025
npmuswds-webcomponents:1.0.0Issue #29053Oct 21, 2025
npmsimmons:2.0.0Issue #29054Oct 20, 2025
npmtapcode:0.1.0Issue #29055Oct 21, 2025
npmtapcode:0.2.0Issue #29056Oct 21, 2025
npm@agent-velo/era:0.1.1Issue #29061Oct 21, 2025
npmnabladown.js:4.0.2Issue #29063Oct 21, 2025
npmcreate-be-boilerplate:1.0.0Issue #29064Oct 21, 2025
npm@probelabs/probe:0.6.0-rc148Issue #29065Oct 21, 2025
npmtapcode:0.3.0Issue #29067Oct 21, 2025
npmtapcode:0.4.0Issue #29068Oct 21, 2025
npm@blvckeasy/arenda-crm-core:0.1.9Issue #29073Oct 21, 2025
npmkexin-browser-ext:0.1.31Issue #29074Oct 21, 2025
npmkexin-browser-ext:0.1.32Issue #29076Oct 21, 2025
npmtapcode:0.5.0Issue #29082Oct 21, 2025
npmtapcode:0.6.0Issue #29084Oct 21, 2025
npmtapcode:0.7.0Issue #29085Oct 21, 2025
npm@vitorcen/gemini-cli-2-api:0.8.0-preview.1-5Issue #29086Oct 21, 2025
npm@nan0web/release:1.0.0Issue #29087Oct 21, 2025
npmggtech:10.0.4Issue #29113Oct 21, 2025
npmggtech:10.0.5Issue #29114Oct 21, 2025
npmggtech:10.0.6Issue #29116Oct 21, 2025
npmggtech:10.0.7Issue #29120Oct 21, 2025
npmggtech:10.0.8Issue #29121Oct 21, 2025
npmggtech:10.0.9Issue #29122Oct 21, 2025
npmeadp-code-core:0.0.14Issue #29124Oct 21, 2025
npm@mapcatch/three-loader-3dtiles:1.2.7Issue #29126Oct 21, 2025
npm@odoreltd/osiris-api:5.5.9Issue #29127Oct 20, 2025
npmeadp-code-core:0.0.14-alpha6Issue #29130Oct 21, 2025
npm@xysfe/actui:1.10.4-beta.65Issue #29134Oct 21, 2025
npmeadp-code-core:0.0.14-alpha7Issue #29136Oct 21, 2025
npmonairos:3.5.4Issue #29138Oct 21, 2025
npm@vitorcen/gemini-cli-2-api:0.8.0-preview.1-6Issue #29143Oct 21, 2025
npmsing-fest-es-logger:2025.10.20Issue #29147Oct 20, 2025
npmsing-fest-rq-logger:2025.10.20Issue #29148Oct 20, 2025
npm@maka/maka-cli:5.1.56Issue #29153Oct 21, 2025
npm@starbemtech/star-node-stack-helper:1.5.5Issue #29156Oct 21, 2025
npmshogun-tunnel:1.0.0Issue #29158Oct 21, 2025
npmflow-docscanner-db:10.0.0Issue #29159Oct 21, 2025
npm@friggframework/devtools:2.0.0--canary.461.c5013fd.0Issue #29162Oct 21, 2025
npmshogun-tunnel:1.0.1Issue #29163Oct 21, 2025
npmmyaidev-method:0.2.3Issue #29164Oct 21, 2025
npm@friggframework/devtools:2.0.0--canary.461.23a07de.0Issue #29168Oct 21, 2025
npm@maka/maka-cli:5.2.0Issue #29181Oct 21, 2025
npm@underpostnet/underpost:2.85.1Issue #29186Oct 21, 2025
npmnabladown.js:4.0.3Issue #29188Oct 21, 2025
npm@maka/maka-cli:5.2.1Issue #29196Oct 21, 2025
npm@maka/maka-cli:5.2.2Issue #29197Oct 21, 2025
npmzuix-dist:1.2.1Issue #29198Oct 21, 2025
npmlingo.dev:0.113.5Issue #29201Oct 21, 2025
npm@oppo-minigame/cli:3.2.5Issue #29202Oct 21, 2025
npmnpmrunnode-fetch-test:1337.1.0Issue #29203Oct 21, 2025
npmcanary-ng:1337.1.0Issue #29204Oct 21, 2025
npm@amirafa/vuexp:1.0.6Issue #29212Oct 21, 2025
npm@nhtio/lucid-resourceful:0.1.0-master-2f539c1fIssue #29213Oct 21, 2025
npmshiprocket-invoice-export:1.0.0Issue #29216Oct 21, 2025
npmpdfdancer-client-typescript:1.0.10Issue #29220Oct 21, 2025
npmpdfdancer-client-typescript:1.0.11Issue #29223Oct 22, 2025
pypipdfdancer-client-python:0.2.11Issue #28951Oct 22, 2025
pypipdfdancer-client-python:0.2.12Issue #28952Oct 22, 2025
npmpdfdancer-client-typescript:1.0.9Issue #28950Oct 22, 2025
npm@lk_blackboxai/blackbox-cli-core:0.0.9-devIssue #29222Oct 24, 2025
npmmediapipe:1.0.6Issue #29227Oct 23, 2025
npmmediapipe:1.0.9Issue #29228Oct 23, 2025
npmmediapipe:1.1.1Issue #29230Oct 23, 2025
npmmediapipe:1.1.3Issue #29232Oct 23, 2025
npmmediapipe:1.1.6Issue #29234Oct 23, 2025
npmmediapipe:1.1.8Issue #29235Oct 23, 2025
npmqwant-search-extension:10.0.3Issue #29236Oct 23, 2025
npmmediapipe:1.2.3Issue #29237Oct 23, 2025
npmqwant-search-extension:10.0.4Issue #29238Oct 23, 2025
npmmediapipe:1.2.4Issue #29239Oct 23, 2025
npmtchap-landing-page:7.0.3Issue #29266Oct 23, 2025
npmdoppler-secrets-fetch-github-action:7.0.1Issue #29278Oct 23, 2025
npmuser_oidc:8.0.1Issue #29280Oct 23, 2025
npmmediapipe:1.2.5Issue #29289Oct 23, 2025
npmmediapipe:1.2.6Issue #29291Oct 23, 2025
npmmediapipe:1.2.7Issue #29293Oct 23, 2025
npmmediapipe:1.2.8Issue #29294Oct 23, 2025
npmmediapipe:1.2.9Issue #29296Oct 23, 2025
npmreact-mandes:1.1.4Issue #29313Oct 23, 2025
npmmediapipe:1.3.0Issue #29329Oct 23, 2025
npmmediapipe:1.3.1Issue #29352Oct 23, 2025
npmmediapipe:1.3.2Issue #29354Oct 23, 2025
npmmediapipe:1.3.3Issue #29357Oct 23, 2025
npmmediapipe:1.3.4Issue #29362Oct 23, 2025
npmuser_oidc:8.0.2Issue #29369Oct 23, 2025
npmqwant-search-extension:10.0.6Issue #29383Oct 23, 2025
npmduckduckgo-eslint-config-poc:999.999.999Issue #29393Oct 23, 2025
npmmediapipe:1.3.5Issue #29426Oct 23, 2025
npmuser_oidc:8.0.3Issue #29442Oct 24, 2025
npmuser_oidc:8.0.4Issue #29443Oct 24, 2025

Secure Your Open Source Dependencies against Vulnerabilities and Malicious Code

Minimize risks and protect your applications from malicious packages with Xygeni Early Malware Detection. Prioritize and address the vulnerabilities that matter most. Our comprehensive solution offers real-time monitoring of your dependencies to detect and mitigate threats before they impact your software.

Managing open-source components in the current software development landscape is crucial due to the rising vulnerabilities and malicious code threats. Xygeni’s Open Source Security solution scans and blocks harmful packages upon publication, dramatically minimizing the risk of malware and vulnerabilities infiltrating your systems. Our comprehensive monitoring spans multiple public registries, ensuring all dependencies are scrutinized for safety and integrity. Xygeni enhances your team’s ability to maintain secure and reliable software projects by contextually prioritizing critical issues and facilitating streamlined remediation processes.

how-to-avoid-malware-malware-prevention-cve check

Xygeni uses multi-layered techniques to stop malicious code before it spreads. First of all, static code analysis detects obfuscation patterns, hidden payloads, and script abuse. In addition, behavioral sandboxing analyzes install hooks, runtime commands, and persistence tricks. Moreover, machine learning detection identifies zero-day npm malware and pypi malware variants missed by signature scanners. Finally, the Early Warning System monitors public repositories in real time, validates findings, and alerts DevOps teams immediately.

As a result, this combination ensures developers receive fast, actionable intelligence integrated directly into CI/CD workflows.

Why Developers Should Care About Malicious npm Packages

Modern threats rarely wait for runtime. For example, malicious npm packages often execute during installation, while pypi malicious packages hide token exfiltration or backdoors. Attackers:

  • Flip private GitHub repos to public to replicate them.
  • Exfiltrate credentials and secrets using encoded payloads.
  • Use obfuscated JavaScript loaders to deploy ransomware or botnets.

In fact, malicious open-source packages surged 156% in one year. Therefore, teams that rely only on delayed feeds or basic scanners fall behind.

What This Malware Report Tracks in npm and PyPI

This digest is the central hub for:

  • Confirmed malicious npm packages
  • Confirmed pypi malicious packages
  • Behavior-based detections of malicious code
  • Registry-confirmed incidents
  • Weekly and monthly malware report summaries
  • Historical changelog of all npm malware and pypi malware findings

In other words, it provides a single point of reference. The research team at Xygeni updates this page weekly with links to full technical analyses and GitHub IOCs.

How to Protect Against Malicious npm Packages and PyPI Malware

Because of this growing risk, organizations need strong defenses:

  • Enforce lockfile-only installs (npm ci) in CI/CD.
  • Additionally, scan dependencies pre-install with Xygeni’s Early Warning Engine.
  • Furthermore, block builds on malicious code signals using Guardrails.
  • Generate SBOMs to trace indirect dependencies and apply policies.
  • Above all, train developers to detect typosquatting, obfuscation, and suspicious install scripts.

Try Xygeni’s Malware Detection Tools

Xygeni delivers:

  • Real-time detection of malicious code, including backdoors, spyware, and ransomware.
  • In contrast to basic scanners, analysis across npm, PyPI, Maven, NuGet, RubyGems, and more.
  • Automatic build blocking when the malware report identifies risk.
  • Exploitability insights, maintainer reputation checks, and anomaly detection.
sca-tools-software-composition-analysis-tools
Prioritize, remediate, and secure your software risks
7-day free trial
No credit card required
Start Free Trial

Secure your Software Development and Delivery

with Xygeni Product Suite

Try Free
Take The Product Tour
Xygeni Logo White

© 2025 Xygeni. All rights reserved

Linkedin-in X-twitter Youtube

Products

Resources

Company

Legal