ተንኮል አዘል ኮድ ማጠቃለያ 74

የXygeni ተንኮል አዘል ኮድ ማጠቃለያ 74

በየሳምንቱ ማለት ይቻላልየማልዌር ማወቂያ ስርዓቶቻችን እንደ npm እና PyPI ባሉ የህዝብ መዝገቦች ውስጥ በሺዎች የሚቆጠሩ አዳዲስ እና የተዘመኑ ፓኬጆችን ይቃኛሉ። ይህ ሳምንት ከዚህ የተለየ አልነበረም።

We confirmed over 130 malicious packages between June 7 and June 12, 2026, predominantly across npm, with additional cases in PyPI. Several appeared in coordinated clusters, repeated malicious releases published under the same names or across closely related package families.

The standout case this week was sensivity, which flooded npm with over 40 versioned releases across the 2.5.x range, confirmed across multiple days. Other notable clusters included a wave of @solana-labs typosquats targeting the Solana ecosystem (web3.js, web3-js, etherjs, spl-toke, ancor, web3js — across two separate publishing campaigns on Jun 7 and Jun 8), the @nstrlabs family (sdk, ixel, utils, shared-components, api-client, auth — dependency confusion attack against an internal package namespace), the @klapp-login-platform group (native-sdk, oidc, routes — impersonating an authentication platform), internallib_v557internallib_v984 (multiple versions of obfuscated internal library impostors), pocteszep (6 versions published on Jun 11), and a cluster of crypto and Web3 utilities including blockchain-helper-0, ethereum-kit-1, ethereum-kit-9, crypto-utils-7, wallet-sdk-9, defi-tools-39, swap-sdk-87, እና farming-tools-12. የ morningstar-design-system package appeared in three versions on Jun 10, impersonating a well-known financial design system. In PyPI, helixagentai, telegramlite, እና cdjeez were confirmed across the week.

These were not isolated anomalies. What stood out this week was the concentration of dependency confusion attacks against internal package namespaces, the sustained multi-day publishing of the sensivity cluster, and the continued targeting of Web3 and Solana tooling, a pattern that has accelerated significantly in 2026.

ይህ ሳምንታዊ ቅጽበታዊ ገጽ እይታ የሚቀጥለው የተንኮል አዘል ኮድ ማጠቃለያችን አካል ሲሆን አዳዲስ ስጋቶችን የምናረጋግጥበት እና የDevSecOps ቡድኖች ቡድኖቻቸውን እንዲጠብቁ የሚረዳ ተግባራዊ መረጃ የምናቀርብበት ነው። pipelineጉዳት ከመድረሱ በፊት።

በዚህ ሳምንት ያገኘነውን እና ለምን አስፈላጊ እንደሆነ እንዘርዝር።

ምህዳር ጥቅል ቀን
ጥዋትkraken-ui:999.0.0ጁን 7, 2026
ጥዋት@sflyinc-knapsack/shutterfly-react:999.0.0ጁን 7, 2026
ጥዋትhehehee:1.0.9ጁን 7, 2026
ጥዋትleaflet-opencage-geocoding:1.0.0ጁን 7, 2026
ጥዋት@solana-labs/web3.js:1.0.0ጁን 7, 2026
ጥዋት@solana-labs/web3-js:1.0.0ጁን 7, 2026
ጥዋት@solana-labs/spl-toke:1.0.0ጁን 7, 2026
ጥዋት@solana-labs/web3js:1.0.0ጁን 7, 2026
ጥዋት@solana-labs/etherjs:1.0.0ጁን 7, 2026
ጥዋት@solana-labs/ancor:1.0.0ጁን 7, 2026
ጥዋት@solana-labs/ancor:1.0.1ጁን 7, 2026
ጥዋት@jisan901/teamfocus:1.0.0ጁን 7, 2026
ጥዋት@jisan901/teamfocus:1.0.1ጁን 7, 2026
ጥዋት@jisan901/teamfocus:1.0.2ጁን 7, 2026
ጥዋትconsumerweb-authflow:4.1.1ጁን 8, 2026
ጥዋትconsumerweb-authflow:4.1.3ጁን 8, 2026
ጥዋትhehehee:1.0.10ጁን 8, 2026
ፒፒhelixagentai:0.1.3ጁን 8, 2026
ጥዋት@solana-labs/web3.js:1.98.102ጁን 8, 2026
ጥዋት@solana-labs/web3-js:1.98.103ጁን 8, 2026
ጥዋት@solana-labs/etherjs:1.98.103ጁን 8, 2026
ጥዋት@solana-labs/spl-toke:1.98.103ጁን 8, 2026
ጥዋት@solana-labs/ancor:1.98.103ጁን 8, 2026
ጥዋት@solana-labs/web3js:1.98.103ጁን 8, 2026
ጥዋት@solana-labs/web3.js:1.98.104ጁን 8, 2026
ጥዋት@solana-labs/web3js:1.98.105ጁን 8, 2026
ጥዋት@solana-labs/web3-js:1.98.105ጁን 8, 2026
ጥዋት@solana-labs/spl-toke:1.98.105ጁን 8, 2026
ጥዋት@solana-labs/etherjs:1.98.105ጁን 8, 2026
ጥዋት@solana-labs/ancor:1.98.105ጁን 8, 2026
ጥዋት@nstrlabs/sdk:99.0.0ጁን 9, 2026
ጥዋት@nstrlabs/sdk:99.0.1ጁን 9, 2026
ጥዋት@nstrlabs/ixel:99.0.0ጁን 9, 2026
ጥዋት@nstrlabs/ixel:99.0.1ጁን 9, 2026
ጥዋት@klapp-login-platform/native-sdk:99.0.2ጁን 9, 2026
ጥዋት@klapp-login-platform/oidc:99.0.2ጁን 9, 2026
ጥዋት@klapp-login-platform/native-sdk:99.0.0ጁን 9, 2026
ጥዋት@klapp-login-platform/oidc:99.0.0ጁን 9, 2026
ጥዋት@klapp-login-platform/routes:99.0.0ጁን 9, 2026
ጥዋት@klapp-login-platform/routes:99.0.2ጁን 9, 2026
ጥዋት@listings/energy-labels:99.0.0ጁን 9, 2026
ጥዋት@listings/energy-labels:99.0.1ጁን 9, 2026
ጥዋት@zimmo/last_search:99.0.1ጁን 9, 2026
ጥዋት@zimmo/last_search:99.0.0ጁን 9, 2026
ጥዋት@nstrlabs/utils:99.0.1ጁን 9, 2026
ጥዋት@nstrlabs/utils:99.0.0ጁን 9, 2026
ጥዋት@nstrlabs/shared-components:99.0.0ጁን 9, 2026
ጥዋት@nstrlabs/shared-components:99.0.1ጁን 9, 2026
ጥዋት@nstrlabs/api-client:99.0.1ጁን 9, 2026
ጥዋት@nstrlabs/auth:99.0.1ጁን 9, 2026
ጥዋት@nstrlabs/auth:99.0.0ጁን 9, 2026
ጥዋት@nstrlabs/api-client:99.0.0ጁን 9, 2026
ጥዋት@payment-review/store:99.0.1ጁን 9, 2026
ጥዋት@payment-review/store:99.0.0ጁን 9, 2026
ጥዋት@klapp-otp/routes:99.0.1ጁን 9, 2026
ጥዋት@klapp-otp/routes:99.0.0ጁን 9, 2026
ጥዋት@klapp-kyc/routes:99.0.0ጁን 9, 2026
ጥዋት@klapp-kyc/routes:99.0.1ጁን 9, 2026
ጥዋት@klapp-sca/routes:99.0.0ጁን 9, 2026
ጥዋት@klapp-sca/routes:99.0.1ጁን 9, 2026
ጥዋት@card-pci-data/store:99.0.0ጁን 9, 2026
ጥዋት@card-pci-data/store:99.0.1ጁን 9, 2026
ጥዋት@klapp-about/routes:99.0.1ጁን 9, 2026
ጥዋት@klapp-about/routes:99.0.2ጁን 9, 2026
ጥዋት@klapp-about/routes:99.0.0ጁን 9, 2026
ጥዋትblockchain-helper-0:1.0.0ጁን 9, 2026
ጥዋትcrypto-utils-7:1.0.0ጁን 9, 2026
ጥዋትethereum-kit-1:1.0.0ጁን 9, 2026
ጥዋትweb3-tools-9:1.0.0ጁን 9, 2026
ጥዋትonlinegdb:1.0.0ጁን 9, 2026
ጥዋትsolana-core-4:1.0.0ጁን 9, 2026
ጥዋትethereum-kit-9:1.25.36ጁን 9, 2026
ጥዋትwallet-sdk-9:3.7.73ጁን 9, 2026
ጥዋትdefi-tools-39:4.26.29ጁን 9, 2026
ጥዋትswap-sdk-87:4.63.78ጁን 9, 2026
ጥዋትfarming-tools-12:4.68.54ጁን 9, 2026
ጥዋትmorningstar-design-system:99.0.0ጁን 10, 2026
ጥዋትmorningstar-design-system:99.0.1ጁን 10, 2026
ጥዋትmorningstar-design-system:99.0.2ጁን 10, 2026
ጥዋትgoogle-cloud-secret-manager-config-poc:99.9.44ጁን 11, 2026
ፒፒtelegramlite:1.0.0ጁን 11, 2026
ፒፒtelegramlite:1.0.1ጁን 11, 2026
ጥዋት@access-risk/browser-remedy-react:99.1.1ጁን 11, 2026
ጥዋት@access-risk/browser-remedy-react:99.0.0ጁን 11, 2026
ጥዋት@coze-common/chat-area:99.1.1ጁን 11, 2026
ጥዋትpocteszep:1.0.5ጁን 11, 2026
ጥዋትpocteszep:1.0.4ጁን 11, 2026
ጥዋትpocteszep:1.0.2ጁን 11, 2026
ጥዋትpocteszep:1.0.1ጁን 11, 2026
ጥዋትpocteszep:1.0.8ጁን 11, 2026
ጥዋትpocteszep:1.1.1ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.68ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.67ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.4ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.58ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.59ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.66ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.65ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.2ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.15ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.5ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.13ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.1ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.35ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.38ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.64ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.14ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.34ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.60ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.0ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.33ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.37ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.3ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.36ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.63ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.69ጁን 11, 2026
ጥዋትስሜታዊነት፡ 2.5.62ጁን 11, 2026
ጥዋት@whatnot-web/www-legacy:99.1.2ጁን 12, 2026
ጥዋት@whatnot-web/www-legacy:99.1.1ጁን 12, 2026
ጥዋትvoyager-web:999.0.0ጁን 12, 2026
ጥዋትecto-corsair-whisper-6f3b9:1.0.18ጁን 12, 2026
ጥዋትecto-corsair-whisper-6f3b9:1.0.17ጁን 12, 2026
ጥዋትecto-nightly-spirit:1.1.0ጁን 12, 2026
ጥዋትecto-corsair-flag-x9m4:1.0.0ጁን 12, 2026
ጥዋትecto-rust-read-f3a9c1:1.0.2ጁን 12, 2026
ጥዋትecto-corsair-whisper-6f3b9:1.0.16ጁን 12, 2026
ጥዋትecto-rust-read-f3a9c1:1.0.1ጁን 12, 2026
ጥዋትecto-corsair-whisper-6f3b9:1.0.15ጁን 12, 2026
ጥዋትecto-corsair-whisper-6f3b9:1.0.14ጁን 12, 2026
ጥዋትinternallib_v984:1.0.3ጁን 12, 2026
ጥዋትinternallib_v984:1.0.4ጁን 12, 2026
ጥዋትinternallib_v984:1.0.2ጁን 12, 2026
ጥዋትinternallib_v557:1.0.4ጁን 12, 2026
ጥዋትinternallib_v557:1.0.7ጁን 12, 2026
ጥዋትinternallib_v557:1.0.9ጁን 12, 2026
ጥዋትinternallib_v557:1.0.10ጁን 12, 2026
ጥዋትinternallib_v557:1.0.15ጁን 12, 2026
ጥዋትinternallib_v557:1.0.16ጁን 12, 2026
ጥዋትinternallib_v557:1.0.18ጁን 12, 2026
ጥዋትኮራል-ዊዝ:1.0.0ጁን 12, 2026
ጥዋትinternallib_v557:1.0.21ጁን 12, 2026
ጥዋትinternallib_v557:1.0.22ጁን 12, 2026
ፒፒcdjeez:0.32.0ጁን 12, 2026

Don’t Let Malicious Packages Reach Production

The packages your teams depend on are increasingly being used as an entry point. የXygeni ቀደምት የማልዌር ምርመራ monitors registries in real time, so threats like the ones in this week’s digest are blocked before they ever reach your builds.

This week’s findings are a reminder that the tactics are getting more deliberate. Version flooding, namespace impersonation, and multi-day coordinated campaigns are not edge cases anymore, they are standard attacker playbook. One-time scans and manual audits cannot keep pace with campaigns that publish dozens of versions across multiple days and registries simultaneously.

የዚጄኒ Open Source Security solution gives your DevSecOps teams continuous visibility across npm, PyPI, and beyond,detecting harmful packages at the moment of publication, prioritizing what poses real exploitable risk, and shortening the path from detection to remediation. So your teams can ship fast without compromising on security.

sca-tools-software-composition-analyse-tools
የሶፍትዌር አደጋዎችዎን ቅድሚያ ይስጡ፣ ያስተካክሉ እና ይጠብቁ
ነፃ መለያ ያግኙ።
ምንም ዱቤ ካርድ አያስፈልግም።

የሶፍትዌር ልማትዎን እና አቅርቦትዎን ደህንነት ይጠብቁ

ከ Xygeni Product Suite ጋር