Malicious Code Digest June

Malicious Code Digest Monthly Recap: June

Welcome to the June edition of the Xygeni Malicious Code Digest. This month, our security research team confirmed more than 645 malicious packages across npm, PyPI, and (for the first time) the VSCode extension marketplace.

June was defined by three converging trends: sustained version-flooding campaigns designed to outlast blocklists, a sharp acceleration in attacks targeting AI tooling and agentic development workflows, and coordinated dependency confusion attacks against internal monorepo namespaces.

Among the most notable campaigns documented this month:

  • sensivity flooded npm with over 70 versions across the 2.5.x range, a sustained evasion campaign republishing continuously to stay ahead of takedowns.
  • A two-wave Solana typosquat campaign (June 7–8) published 15 packages impersonating @solana-labs ecosystem tooling, targeting Web3 and DeFi developers directly.
  • houzidawang806 accounted for over 25 versions in a single day (June 13), joined by metrics-pipeline-d8k2 republished across 21 versions between June 15–18.
  • The CryptoDAO Confusion campaign (June 17) published 11 packages at version 99.99.99, each carrying an identical postinstall payload sweeping CI/CD tokens, cloud credentials, and crypto wallet secrets. 
  • The week of June 20–26 brought the most concentrated AI tooling targeting of the month: ollama-helpers (20 versions), openai-agents-helpers (23 versions), monoclaude, ai-sdk-helpers, and @langgraphjs/toolkit, all confirmed in a single week, directly targeting Ollama, OpenAI agents SDK, LangGraph, and Claude API integrations.
  • Two confirmed malicious VSCode extensions appeared this month, signaling that attackers are expanding beyond package registries into the developer environment itself.

The defining pattern of June: attacks are moving into IDE extensions, AI agent tooling, and agentic workflows where a malicious package installed autonomously has no human reviewer between infection and execution.

This monthly update is part of Xygeni’s ongoing malware and supply chain threat research initiative. For full context across every malicious package confirmed this month, explore the complete June Malicious Code Digest and related research from the Xygeni Security Team.

Week 4: Over 201 Packages Discovered

Ecosystem Package Date
June 20, 2026
npmpanrouter:5.0.2 + 30 versions across 5.x–6.x range through Jun 22 — dominant campaign of the weekJun 20, 2026
npmtrimprompt:1.0.5 + 4 versions — continuation from previous week, still activeJun 20, 2026
npmmonoclaude:1.0.1 + 2 versions — Claude API tooling impersonationJun 20, 2026
vscodeorbit-agentic-pair-programming-for-smalltalk:1.206.0 + 1 version — malicious VSCode extension targeting agentic developmentJun 20, 2026
npmsimplisafe-gatsby:1.0.1 Smart home platform namespace impersonationJun 20, 2026
June 21, 2026
npmatlasora-shared:1.0.0 + 6 packages — coordinated monorepo dependency confusion: atlasora-api, -client, -sdk, -types, -utils, -configJun 21, 2026
npmapintergrationpost:4.0.2 + 6 versions — deliberate misspelling campaign targeting integration toolingJun 21, 2026
npmllm-traces-app:1.0.1 LLM observability tooling targetedJun 21, 2026
pypid0rk3r-telemetry:1.0.0 Obfuscated telemetry package in PyPIJun 21, 2026
June 22, 2026
pypitm-ai:2.91.75 + 7 versions — sustained PyPI version flooding campaignJun 22, 2026
pypirequest-cache-py:1.0.4 + 6 versions — PyPI version floodingJun 22, 2026
pypicorvinos:0.17.0 + 6 versions — PyPI bulk registration campaignJun 22, 2026
June 23, 2026
npmweb3-token-helper:1.1.1 + 2 versions — Web3 token utility targetingJun 23, 2026
npmmonocross:1.0.1 + 1 version — mono-* naming cluster alongside monoclaude and monotacosJun 23, 2026
June 24, 2026
npmollama-helpers:0.1.0 + 19 versions — largest AI tooling campaign of the month, targeting Ollama local AI runtimeJun 24, 2026
npmopenai-agents-helpers:0.1.1 + 22 versions — coordinated campaign targeting OpenAI agents SDK ecosystemJun 24, 2026
June 25, 2026
npmai-sdk-helpers:1.4.3 AI SDK tooling targeted alongside @langgraphjs/toolkit:1.2.11Jun 25, 2026
npmsignup-embedder:99.99.99-poc3 + hs-locale-management — HubSpot internal namespace dependency confusion, poc suffix confirms active research campaignJun 25, 2026
June 26, 2026
npmeasy-string-kit:1.0.1 + 8 versions including variant easy-string-kit232 — bulk registration under generic utility nameJun 26, 2026
npmunsafe-malicious-package:1.0.0 + 5 versions — package explicitly named as malicious, confirmed payload, likely test or provocation campaignJun 26, 2026
npm@vpms/design-system:1.1.2 + 2 versions — design system namespace impersonationJun 26, 2026

Week 3: Over 200 Packages Discovered

Ecosystem Package Date
June 13, 2026
npmhouzidawang806:1.0.0 + 25 versions across 1.0.x–1.2.x including siblings houzidawang807 and houzidawang808 — dominant campaign of the weekJun 13, 2026
npmfriendly-greeter-demo:1.0.2 + 4 versions — persistent campaign reappearing across multiple daysJun 13, 2026
npmtsc-ai:1.2.0 tsc-* cluster: tsc-ai, tsc-mesh, tsc-lotl — CI tooling namespace impersonationJun 13, 2026
pypineuralbridge-sdk:4.5.4 + 6 versions across 4.5.x–5.1.x — sustained multi-day PyPI campaignJun 13, 2026
June 15, 2026
npmtoken-prices-cron:999.0.0 + 6 packages — DeFi infrastructure dependency confusion cluster targeting internal cron and vault toolingJun 15, 2026
June 16, 2026
npmbodega-sdk:9.9.9 + 8 packages — DeFi lending and Cardano ecosystem cluster: flow-lending, surf-lending, janus-*, flowcardano, flowdefiJun 16, 2026
npmevent-metrics-q3x7:1.0.0 + 8 versions — generic hex-suffix package registering bulk monitoring-themed namesJun 16, 2026
npmnic-datagov:1.0.0 + 3 packages — government data platform namespace impersonation: ogd-analytics, ogd-platform, dms-backendJun 16, 2026
June 17, 2026
npmcryptodao-contracts:99.99.99 + 10 packages — CryptoDAO dependency confusion: core, sdk, bot, config, utils, deploy, signer, backend, typesJun 17, 2026
pypiteambot-ai:1.48.0 AI agent tooling targeted in PyPIJun 17, 2026
June 18, 2026
npmmetrics-pipeline-d8k2:1.0.0 + 20 versions across Jun 18 — sustained single-day evasion campaign, republishing continuously to outlast blocklistsJun 18, 2026
npmscan-only:0.4.5 + 6 versions — version flooding campaignJun 18, 2026
npmcolor-utils-dee0:1.0.0 + 5 generic hex-suffix packages: data-utils, string-tools, type-check, fmt-helpers, metrics-probe — scripted bulk registrationJun 18, 2026
npm@azure-lab-services/ml-ts:99.0.0 Azure ML namespace impersonationJun 18, 2026
June 19, 2026
npmtrimprompt:1.0.2 + trimprompt-hub — prompt engineering tooling targetedJun 19, 2026
npmclaude-cup:0.8.6 Claude API tooling impersonationJun 19, 2026
pypiaiaddin-agent:0.1.0 AI agent tooling targeted in PyPIJun 19, 2026
npmweb3-crypto-address-utils:0.1.0 Web3 utility targetingJun 19, 2026

Week 2: Over 135 Packages Discovered

Ecosystem Package Date
June 7, 2026
npm@solana-labs/web3.js:1.0.0 + 5 variants — Solana ecosystem typosquat campaign, first waveJun 7, 2026
npm@jisan901/teamfocus:1.0.0 + 2 versionsJun 7, 2026
npm@sflyinc-knapsack/shutterfly-react:999.0.0 Dependency confusion, inflated versionJun 7, 2026
June 8, 2026
npm@solana-labs/web3.js:1.98.102 + 9 variants — Solana ecosystem typosquat campaign, second waveJun 8, 2026
pypihelixagentai:0.1.3 AI agent tooling targeted in PyPIJun 8, 2026
June 9, 2026
npm@nstrlabs/sdk:99.0.0 + 7 packages — dependency confusion against internal monorepo namespaceJun 9, 2026
npm@klapp-login-platform/native-sdk:99.0.0 + 9 packages — authentication platform impersonation across multiple klapp namespacesJun 9, 2026
npmblockchain-helper-0:1.0.0 + 7 packages — crypto/DeFi utility cluster targeting Web3 developersJun 9, 2026
npm@card-pci-data/store:99.0.0 Payment card data namespace targetedJun 9, 2026
June 10, 2026
npmmorningstar-design-system:99.0.0 + 2 versions — financial design system impersonationJun 10, 2026
June 11, 2026
npmpocteszep:1.0.1 + 5 versions published same dayJun 11, 2026
npm@coze-common/chat-area:99.1.1 AI chat platform namespace impersonationJun 11, 2026
pypitelegramlite:1.0.0 + 1 version — messaging platform impersonation in PyPIJun 11, 2026
June 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.18 + 7 ecto-* variants — obfuscated name clusterJun 12, 2026
npminternallib_v984:1.0.3 + internallib_v557 cluster — 13 versions of internal library impostorsJun 12, 2026
npmvoyager-web:999.0.0 Dependency confusion, inflated versionJun 12, 2026
pypicdjeez:0.32.0Jun 12, 2026

Week 1: Over 118 Packages Discovered

Ecosystem Package Date
May 30, 2026
npm@cloudplatform-single-spa/administration:99.99.100 Dependency confusion, inflated versionMay 30, 2026
vscodexampp-manager:5.1.3 VSCode extension — developer tool impersonationMay 30, 2026
June 1, 2026
npm@tse-digital/core:99.0.0 Dependency confusion — @telenor-se and @ownit also hitJun 1, 2026
npmcms-storehub:1.3.4 + 2 versions, CMS namespace clusterJun 1, 2026
npm@antoncallahan/aws-user-helper:6767.67.69 + 6 versions, inflated version numbers targeting AWS credentialsJun 1, 2026
npmpatientdocuments:75.0.0 Healthcare namespace targetJun 1, 2026
npm@emcd-vue/auth:6.4.9 Crypto exchange namespace impersonationJun 1, 2026
pypisimtooreal-cli:0.3.0Jun 1, 2026
June 2, 2026
npmsensivity:2.5.8 + 70 versions across 2.5.x range, Jun 2–5 — dominant campaign of the periodJun 2, 2026
npm@langgraphjs/toolkit:1.2.10 LangGraph tooling targetedJun 2, 2026
June 4, 2026
npm@sentry-browser-sdk/profiling-node:1.0.1 + 2 versions, Sentry namespace impersonationJun 4, 2026
npminternallib_v346:1.0.3 + 2 versions, internal library impostorJun 4, 2026
npmai-sdk-helpers:0.2.1 + 7 versions, targeting AI SDK toolingJun 4, 2026

Stop Malicious Code Before It Reaches Your Pipeline

Software supply chain threats have moved well past theoretical. Dependency confusion attacks, credential stealers, AI-targeted malware, and poisoned developer tooling are hitting real teams in real SDLCs every week.

Xygeni’s malware detection and supply chain security platform gives organizations the visibility to catch malicious dependencies before they execute on a developer machine, enter a build system, or reach production. Coverage spans npm, PyPI, VSCode, and beyond, monitoring for suspicious publishing patterns, namespace abuse, typosquatting, and AI-native attack techniques as they emerge.

Every finding is automatically prioritized by exploitability, reachability, and business impact, so your team focuses on what actually needs fixing, not noise.

Whether it’s a malicious open-source package, a compromised developer tool, or an AI-generated code risk, Xygeni keeps security and engineering teams one step ahead of the supply chain threat landscape.

Explore every malicious package and campaign validated by the Xygeni Security Team in the Malicious Code Digest.

Stay secure. Stay fast. Stay in control with Xygeni.

sca-tools-software-composition-analysis-tools
Prioritize, remediate, and secure your software risks
Get your Free Account.
No credit card required.

Secure your Software Development and Delivery

with Xygeni Product Suite