Every week, our malware detection systems scan thousands of new and updated packages across public registries like npm and PyPI. This week was no exception.
We confirmed over 150 malicious packages between June 20th and June 26th, 2026, across npm, PyPI, and (for the first time this week) the VSCode extension marketplace.
The dominant campaign was panrouter, which flooded npm with over 30 versions across the 5.x and 6.x ranges between June 20 and June 22, a sustained, automated publishing wave designed to outlast blocklists. The trimprompt campaign continued from last week, adding versions 1.0.5 through 1.0.17. The atlasora family (seven packages published simultaneously on June 21) and apintergrationpost (seven versions, June 21–22) followed the same dependency confusion playbook against internal monorepo namespaces.
The most significant pattern this week was the concentration of attacks on AI tooling. The ollama-helpers and openai-agents-helpers clusters combined for over 35 versions confirmed on June 24–25, directly targeting packages used in agentic development workflows. monoclaude, ai-sdk-helpers, and @langgraphjs/toolkit extended the same pattern. When an AI agent installs a malicious package autonomously, there is no human reviewer between infection and execution.
In PyPI, tm-ai (seven versions), corvinos (seven versions), request-cache-py (seven versions), and neuralbridge-sdk (continued multi-week campaign) dominated. In VSCode, orbit-agentic-pair-programming-for-smalltalk was confirmed in two versions, a signal that attackers are expanding beyond package registries into IDE extension marketplaces.
This weekly snapshot is part of our ongoing Malicious Code Digest, where we validate new threats and provide actionable intelligence to help DevSecOps teams protect their pipelines before damage occurs. Let’s break down what we found this week and why it matters.
150 Malicious Packages. One Week. Don’t Be Next.
This week’s digest was not about a single threat, it was about scale and intent. Over 150 confirmed packages, sustained version flooding across multiple days, coordinated namespace attacks, and a sharp acceleration in targeting of AI tooling and IDE extensions. The attackers are not waiting for you to catch up.
Xygeni Early Malware Detection monitors npm, PyPI, VSCode, and other registries continuously, flagging threats at the moment of publication, not after they’ve landed in a build. When a campaign publishes 30 versions of the same malicious package across three days, or an AI agent autonomously installs a compromised dependency, a weekly scan catches nothing in time.
Xygeni’s Open Source Security solution gives your DevSecOps teams the real-time visibility and prioritization they need to stay ahead of exactly this kind of coordinated pressure, so your pipelines stay clean without slowing your teams down.





