ተንኮል አዘል ኮድ ማጠቃለያ 77

የXygeni ተንኮል አዘል ኮድ ማጠቃለያ 77

በየሳምንቱየማልዌር ማወቂያ ስርዓቶቻችን እንደ npm እና PyPI ባሉ የህዝብ መዝገቦች ውስጥ በሺዎች የሚቆጠሩ አዳዲስ እና የተዘመኑ ፓኬጆችን ይቃኛሉ። ይህ ሳምንት ከዚህ የተለየ አልነበረም።

We confirmed over 90 malicious packages between June 26 and July 3, 2026, across npm and PyPI, with several campaigns continuing from previous weeks and new ones emerging.

nolimit-agent campaign continued publishing new versions (1.0.306, 1.0.315, 1.0.316), extending the Microsoft 365 device-code phishing framework we documented in detail in our የDeviceDour ሪፖርት. የ anthropic-toolkit cluster was the dominant new campaign, with 20 versions confirmed on June 30 alone — directly targeting packages associated with Anthropic’s developer tooling. The cursed-modules family published over 15 versions between July 1 and July 2 across both standard and inflated version numbers (999.x), following the dependency confusion playbook. The date-fns-lite cluster (5 versions, July 2) continued the pattern of impersonating legitimate, widely-used utility packages.

The AI tooling targeting pattern established last week with ollama-helpersopenai-agents-helpers extended into this period with ai-explain, ai-sdk-helpers, እና @langgraphjs/toolkit,  all confirmed between June 28 and June 30. The @szc-ft/mcp-szcd-client package (versions 0.38.0 and 0.39.0, confirmed July 2) introduced a new pattern we are tracking as SkillLeak: a credential decryptor hidden inside an MCP skill rather than an install hook, invisible to scanners that stop at postinstall. We published a full SkillLeak analysis here.

ይህ ሳምንታዊ ቅጽበታዊ ገጽ እይታ የቀጣይ ስራችን አካል ነው የተንኮል አዘል ኮድ ዝርዝርአዳዲስ ስጋቶችን የምናረጋግጥበት እና የDevSecOps ቡድኖች ውጤቶቻቸውን እንዲጠብቁ የሚረዳ ተግባራዊ መረጃ የምናቀርብበት pipelineጉዳት ከመድረሱ በፊት። በዚህ ሳምንት ያገኘነውን እና ለምን አስፈላጊ እንደሆነ እንዘርዝር።

ምህዳር ጥቅል ተረጋግ .ል ፡፡
ጥዋት@miraiva_test/skill-order-export:0.3.0ጁን 26, 2026
ጥዋትinnxt-mini-app-sdk:1.0.0ጁን 26, 2026
ጥዋትsysverify:1.0.9ጁን 27, 2026
ጥዋት@k18n/creatormarketplace-admin-language:99.0.0ጁን 28, 2026
ጥዋትanthropic-internal-tools:1.0.0ጁን 28, 2026
ጥዋትanthropic-internal-tools:1.0.1ጁን 28, 2026
ጥዋትኦፔንታይ-ኤጀንቶች-ረዳቶች፡ 1.3.2ጁን 28, 2026
ጥዋት@langgraphjs/toolkit:1.2.12ጁን 28, 2026
ጥዋትai-sdk-helpers:1.4.4ጁን 28, 2026
ጥዋትኦላማ-helpers:1.2.2ጁን 28, 2026
ጥዋትai-explain:0.3.3ጁን 28, 2026
ጥዋትai-explain:0.3.4ጁን 28, 2026
ፒፒtdata-grabber:1.0.0ጁን 28, 2026
ጥዋት@vpms/design-system:1.1.2ጁን 29, 2026
ጥዋት@vpms/design-system:1.0.1ጁን 29, 2026
ጥዋት@vpms/design-system:0.1.3ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:1.0.0ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:1.0.2ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:1.0.4ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:1.0.6ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:1.0.8ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:1.0.9ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:2.0.0ጁን 29, 2026
ጥዋትደህንነቱ ያልተጠበቀ-ተንኮል-አዘል-ጥቅል:2.0.1ጁን 29, 2026
ጥዋት@epsteinlovekids483/crossmint-wallets-sdk-pentest:1.0.5-pentestጁን 29, 2026
ጥዋት@epsteinlovekids483/crossmint-wallets-sdk-pentest:1.0.9-pentestጁን 29, 2026
ጥዋት@epsteinlovekids483/crossmint-wallets-sdk-pentest:1.0.7-pentestጁን 29, 2026
ጥዋት@epsteinlovekids483/crossmint-wallets-sdk-pentest:1.0.11-pentestጁን 29, 2026
ጥዋት@epsteinlovekids483/crossmint-wallets-sdk-pentest:1.0.11ጁን 29, 2026
ጥዋትts-einkle:1.1.3ጁን 29, 2026
ጥዋትvkzmn:1.0.6ጁን 29, 2026
ጥዋትlivekit-agents:0.3.4ጁን 30, 2026
ጥዋትnolimit-agent:1.0.306ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.3.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.4.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.3.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:1.0.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:1.1.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:1.2.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.9.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.5.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:1.1.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.7.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.5.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:1.2.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.8.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:1.0.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:1.3.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.6.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.2.0ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.1.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.2.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.4.1ጁን 30, 2026
ጥዋትአንትሮፒክ-toolkit:0.1.0ጁን 30, 2026
ጥዋትripshakti:80.0.0ጁን 30, 2026
ጥዋት@sudoughnym/enviro-demo:0.3.3ሐምሌ 1, 2026
ጥዋት@sudoughnym/enviro-demo:99.99.99ሐምሌ 1, 2026
ጥዋትripshakti1:81.0.0ሐምሌ 1, 2026
ጥዋትvue-demi-fix:10.0.4ሐምሌ 1, 2026
ጥዋትeslint-angular-react:110.0.1ሐምሌ 1, 2026
ጥዋትvue-demi-fix:10.0.5ሐምሌ 1, 2026
ጥዋትecto-corsair-flag-7kq3mz:1.0.2ሐምሌ 1, 2026
ጥዋትconstellai:0.5.1ሐምሌ 1, 2026
ጥዋትconstellai:0.5.0ሐምሌ 1, 2026
ጥዋትconstellai:0.4.0ሐምሌ 1, 2026
ጥዋትconstellai:0.3.12ሐምሌ 1, 2026
ጥዋትcursed-modules:2.0.0ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.0ሐምሌ 1, 2026
ጥዋትmodule-index-cache:1.0.2ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.1ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.2ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.3ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.4ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.5ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.6ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.7ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.8ሐምሌ 1, 2026
ጥዋትcursed-modules:999.0.9ሐምሌ 1, 2026
ጥዋትcursed-modules:999.1.0ሐምሌ 1, 2026
ጥዋትcursed-modules:999.1.1ሐምሌ 1, 2026
ጥዋትcursed-modules:999.1.2ሐምሌ 1, 2026
ጥዋትcursed-modules:1.0.1ሐምሌ 1, 2026
ጥዋትcursed-modules:1.0.4ሐምሌ 1, 2026
ጥዋትcursed-modules:1.0.5ሐምሌ 1, 2026
ጥዋትcursed-modules:1.0.6ሐምሌ 1, 2026
ጥዋትcursed-modules:1.0.7ሐምሌ 1, 2026
ጥዋትcursed-modules:1.0.8ሐምሌ 1, 2026
ጥዋትpp-react-v5:30.0.1ሐምሌ 1, 2026
ጥዋትpp-react-v5:30.0.2ሐምሌ 1, 2026
ጥዋት@blue-repository/types:1.2.4-rc.0ሐምሌ 2, 2026
ጥዋት@leju-gym/gym-cli:1.0.7ሐምሌ 2, 2026
ጥዋትconsumerweb:2200.4.2ሐምሌ 2, 2026
ጥዋት@szc-ft/mcp-szcd-client:0.38.0ሐምሌ 2, 2026
ጥዋትlogger-daemon-regex:1.0.124ሐምሌ 2, 2026
ጥዋት@easypayment/medusa-paypal:0.7.6ሐምሌ 2, 2026
ጥዋትdl-pp-latm:80.4.2ሐምሌ 2, 2026
ጥዋት@szc-ft/mcp-szcd-client:0.39.0ሐምሌ 2, 2026
ጥዋትdate-fns-lite:1.0.3ሐምሌ 2, 2026
ጥዋትdate-fns-lite:1.0.4ሐምሌ 2, 2026
ጥዋትdate-fns-lite:1.0.5ሐምሌ 2, 2026
ጥዋትdate-fns-lite:1.0.6ሐምሌ 2, 2026
ጥዋትdate-fns-lite:1.0.9ሐምሌ 2, 2026
ጥዋትnolimit-agent:1.0.315ሐምሌ 2, 2026
ጥዋትnolimit-agent:1.0.316ሐምሌ 2, 2026
ጥዋትየተረገመች-ecto-d3ab00:1.0.0ሐምሌ 3, 2026
ጥዋት@checkrhq/adjudication-api-client:0.0.2ሐምሌ 3, 2026

90+ Packages. One Week. The Pipeline Is the Target.

This week’s digest reflects a shift in attacker focus, not just volume, but precision. Sustained version flooding, AI tooling clusters, MCP-layer credential theft, and dependency confusion attacks against internal monorepo namespaces. The campaigns are automated and continuous. A weekly scan is not a defense.

የXygeni የመጀመሪያ የማልዌር ማስጠንቀቂያ monitors npm, PyPI, and other registries in real time, flagging threats at the moment of publication, before they reach a build, before an AI agent installs them autonomously, and before a SkillLeak-style payload has a chance to execute. When anthropic-toolkit publishes 20 versions in a single day or cursed-modules floods npm with version 999.x across two days, detection that runs after the fact is already too late.

የዚጄኒ Open Source Security መድረክ የዴቭሴክኦፕስ ቡድኖችን ከተቀናጀ የአቅርቦት ሰንሰለት ግፊት ቀድመው ለመቆየት የሚያስፈልገውን በእውነተኛ ጊዜ ለይቶ ማወቅ እና ቅድሚያ መስጠትን ይሰጣል፣ ስለዚህ የእርስዎ pipelineቡድኖቻችሁን ሳታዘገዩ ንፁህ ሁኑ።

sca-tools-software-composition-analyse-tools
የሶፍትዌር አደጋዎችዎን ቅድሚያ ይስጡ፣ ያስተካክሉ እና ይጠብቁ
ነፃ መለያ ያግኙ።
ምንም ዱቤ ካርድ አያስፈልግም።

የሶፍትዌር ልማትዎን እና አቅርቦትዎን ደህንነት ይጠብቁ

ከ Xygeni Product Suite ጋር