Welcome to the latest edition of the Xygeni Malicious Code Digest (Monthly Edition). Once again, our security teams have been diving deep into real package data to spot what traditional tools often miss. The goal? Catch and block malicious packages before they land in your codebase or pipeline.
Over the past few weeks, we’ve confirmed over 225 malicious packages spreading across npm and PyPI. Many used advanced tactics like typosquatting, dependency confusion, and data exfiltration, all designed to slip past automated checks and compromise your environment.
This monthly update is part of our ongoing malware report, where we publish weekly findings, confirm new threats, and help DevSecOps teams stay ahead. If you want full context across every malicious package we’ve analyzed, make sure to explore the complete malicous code digest here.
Week 3: Over 125 Packages Discovered
Key Findings:
NPM
- (npm) mysqldbstool:1.0.4
- (npm) dashboard-demo:1.0.0
- (npm) brfsddd:0.0.1
- (npm) @0xzyo111/frontend-logger:0.0.2
- (npm) @0xzyo111/frontend-logger:0.0.1
- (npm) textlocal-messenger:1.0.1
- (npm) flow-playground:1.0.0
- (npm) action-schema-compiler:99.0.9
- (npm) esm-package:7.0.2
- (npm) ngi-core:1.0.0
- (npm) decoupled-local-node-rig:9.1.1
- (npm) tested123:3.0.3
- (npm) eth-exec-txs:1.0.0
- (npm) file-dependency:7.0.1
- (npm) @vietnetco-distribution/internal-sdk:999.999.999
- (npm) code-processor:99.0.9
- (npm) examples-lib:99.0.9
- (npm) conversation-memory:99.0.9
- (npm) default-agent-provider:99.0.9
- (npm) decoupled-local-node-rig:99.0.9
- (npm) axe-core-scanner:99.0.9
- (npm) azure-ai-foundry:99.0.9
- (npm) hyperion-react-native-testapp:10.0.0
- (npm) donuts.node:99.0.9
- (npm) turborepo-examples:16.0.0
- (npm) hubot-currencies:10.0.0
- (npm) mpesa-ui-components:1.5.2
- (npm) lunasec:1.0.0
- (npm) tw-core-ui:1.0.1
- (npm) jet-os-detection:1.9.4
- (npm) @ivy-shared-components/iconslibrary:99.99.99
- (npm) public-tools-and-demos:1.0.0
- (npm) @huobi-lib/vulcan-js-sdk:10.11.0
- (npm) gx-ui-common:1.0.0
- (npm) gx-ui-common:1.2.63
- (npm) react-native-gainsight-px:1.12.5
- (npm) turborepo-tests-helpers:16.0.0
- (npm) mpesa-ui-components:1.1.20
- (npm) bc-compare:4.1.1
- (npm) terminal-suggest:1.0.2
- (npm) gx-ui-common:1.2.67
- (npm) mpesa-backoffice-ekyc-frontend:3.17.99
- (npm) mysql-dumpdiscord:1.0.2
- (npm) gx-ui-common:1.2.66
- (npm) gx-ui-common:1.2.65
- (npm) berachain-metadata:1.0.1
- (npm) enrichable-markdown-render:20.0.0
- (npm) eslint-plugin-rdv-insertion:6.99.99
- (npm) eslint-plugin-rdv-insertion:7.99.99
- (npm) library-website:6.0.2
- (npm) setup-helper-module:1.0.5
- (npm) setup-helper-module:2.1.2
- (npm) hb-otc:10.15.0
- (npm) newrelic-infrastructure:8.9.1
- (npm) hb-otc:10.17.0
- (npm) gdex-sdk:1.0.9
- (npm) @huobi-lib/vulcan-js-sdk:10.10.0
- (npm) mysqldbstool:1.0.5
- (npm) mysqldbtool:1.0.3
- (npm) hrpqvq123111:1.0.0
- (npm) hrprce:1.0.0
- (npm) hrp9871:1.0.0
- (npm) json-rules-engine-examples:7.1.0
- (npm) calientepe-theme:100.0.2
- (npm) internallib_v606:1.0.2
- (npm) stolbovsaseeminglyinnocentpackage2:0.30.1
- (npm) setup-helper-module:2.1.7
- (npm) internallib_v249:1.0.1
- (npm) notmall:2.1.2
- (npm) @s21games/game-engine:1.15.2
- (npm) @s21games/game-engine:1.15.5
- (npm) @s21games/game-engine:1.15.6
- (npm) @s21games/game-engine:1.15.8
- (npm) @s21games/game-engine:1.15.7
- (npm) @s21games/game-engine:1.15.10
- (npm) moduletestsimple5:1.1.0
- (npm) moduletestsimpletest5:1.1.1
- (npm) @s21games/game-engine:1.15.9
- (npm) @s21games/game-engine:1.15.4
- (npm) @s21games/game-engine:1.15.11
- (npm) @s21games/game-engine:1.15.12
- (npm) @s21games/game-engine:1.15.13
- (npm) @s21games/game-engine:1.15.14
- (npm) internallib_v714:1.0.2
- (npm) internallib_v714:1.0.3
- (npm) @s21games/game-engine:1.15.16
- (npm) internallib_v354:1.0.1
- (npm) @s21games/game-engine:1.15.17
- (npm) @s21games/game-engine:1.15.15
- (npm) @s21games/game-engine:1.15.19
- (npm) @s21games/game-engine:1.15.20
- (npm) @s21games/game-engine:1.15.21
- (npm) @s21games/game-engine:1.15.22
- (npm) @s21games/game-engine:1.15.23
- (npm) @s21games/game-engine:1.15.25
- (npm) @cryptochords/shared:1.0.2
- (npm) @s21games/game-engine:1.15.26
- (npm) vusd-lib:1.0.0
- (npm) @newth/mem0-redis-hybrid:1.0.0
- (npm) @callcenter-frontend/ui-components:99.0.2025091-3.2
- (npm) @callcenter-frontend/ui:99.0.2025091-3.1
- (npm) @callcenter-frontend/shared-types:99.0.2025091-3.1
- (npm) @callcenter-frontend/ui:99.0.2025091-3.15
- (npm) @callcenter-frontend/ui-components:99.0.2025091-3.14
- (npm) @callcenter-frontend/shared-types:99.0.2025091-3.13
- (npm) @callcenter-frontend/helpers:99.0.2025091-3.11
- (npm) @callcenter-frontend/services:99.0.2025091-3.12
- (npm) @callcenter-frontend/api:99.0.2025091-3.10
- (npm) internallib_v715:1.0.1
- (npm) @cnx-ui/cnx-ui-core:10.0.10
- (npm) @cnx-ui/cnx-ui-core:20.0.11
- (npm) @cnx-ui/cnx-ui-core:20.0.12
- (npm) kreme-crypto:0.0.1
- (npm) epxresser:5.1.0
- (npm) epxresser:5.1.1
- (npm) regex-validator-utils:1.0.0
- (npm) regex-validator-utils:1.0.8
- (npm) lynx-dev:1.0.1
- (npm) lynx-explorer:1.0.1
- (npm) humhub:5.0.3
- (npm) eslint-plugin-whatever:9.0.1
- (npm) porscheofficial:2.9.9
PyPI
- (pypi) sinontop-utils:0.3.5
- (pypi) python-dev-toolkit:0.1.9
Week 2: Over 50 Packages Discovered
Key Findings:
NPM Packages
- (npm) @ayuda/search-tree:1.1.6
- (npm) mv-hosp:1.0.0
- (npm) fb_helpers:0.0.3
- (npm) fb_systemd:0.0.3
- (npm) paper-dropdown-menu:99.9.1
- (npm) react-markdown-v7:1.3.9
- (npm) sfly-services:4.0.5
- (npm) sfly-web-vitals:4.0.7
- (npm) pahtkit-wasm:1.0.0
- (npm) vui-vform:10.12.0
- (npm) vui-vform:10.13.0
- (npm) hrpqwq123:1.0.0
- (npm) hrpq1wq123:1.0.0
- (npm) hr1pq1wq123:2.0.0
- (npm) hr1pq1wq123:3.0.0
- (npm) hrpqvq:3.0.0
- (npm) hrpqvq:1.0.0
- (npm) hrpqvq123:1.0.0
- (npm) tianqishengqishi:1.0.0
- (npm) pahtkit-wasm:1.0.1
- (npm) pahtkit-wasm:1.0.2
- (npm) library-website:6.0.5
- (npm) ad-react-wrapper:99.1.0
- (npm) newrelic-infrastructure:8.9.12
- (npm) newrelic-infra-operator:8.9.12
- (npm) newrelic-logging:8.9.12
- (npm) newrelic-pixie:8.9.12
- (npm) nri-kube-events:8.9.12
- (npm) newrelic-k8s-metrics-adapter:8.9.12
- (npm) sfly-services:4.0.1
- (npm) sfly-web-vitals:4.0.5
- (npm) ifood-consumer-help-v2:4.15.1999
- (npm) ifood-faster-remote-config:2.0.0
- (npm) com.revenuecat.purchases-unity:13.3.0
- (npm) com.revenuecat.purchases-unity:13.5.0
- (npm) com.revenuecat.purchases-unity:13.6.0
- (npm) epxressoo:5.1.2
- (npm) mcp-chat-client:1.0.0
- (npm) ifood-faster-remote-config:3.0.0
- (npm) aledade-org:1.0.0
- (npm) codex-monorepo:8.1.1
- (npm) tdm-shared-core-library:99.0.0
- (npm) tdm-shared-core-library:99.0.2
- (npm) tdm-shared-core-library:99.0.3
- (npm) aledade-org:1.1.0
- (npm) collabs-influencer-ui:1.0.2
- (npm) @gc-crm/gc-crm-lib:9999.0.1
PyPI Packages
- (pypi) steamgameoptions:0.1.0
- (pypi) steamgameoptions:0.1.1
- (pypi) steamgameoptions:0.1.2
Week 1 : Over 50 Packages Discovered
Key Findings:
NPM Packages
- (npm) blackgoldpvt:1.0.0
- (npm) @huobi-lib/vulcan-js-sdk:10.11.0
- (npm) @stackgl/gl-conformance:9.999.999
- (npm) gen-studio:9.1.2
- (npm) parse-logger:3.3.6
- (npm) pp-react-segmented-controller:99.0.3
- (npm) azure-rest-api-specs-eng-tools:1.0.1
- (npm) pp-com-components:1.0.0
- (npm) pp-react-grid:1.0.0
- (npm) azure-ipam-ui:1.0.0
- (npm) powerbi-visuals-powerkpi:9.0.1
- (npm) tested123:3.0.3
- (npm) @vietnetco-distribution/internal-sdk:999.999.999
- (npm) decoupled-local-node-rig:9.1.1
- (npm) paper-dropdown-input:99.9.3
- (npm) test343tttt:99.9.1
- (npm) paper-dropdown-input:99.9.5
- (npm) @auro-formkit/config:5.0.0
- (npm) paper-dropdown-input:99.9.6
- (npm) mpesa-backoffice-ekyc-frontend:3.17.99
- (npm) @hpx-core-experiences/react-my-account-commons:11.0.1
- (npm) @hpx-core-experiences/react-my-account-commons:11.0.2
- (npm) gx-ui-common:1.2.66
- (npm) gx-ui-common:1.2.65
- (npm) azure-open-ai-accelerator:1.0.0
- (npm) azure-iot-stresstests:1.0.0
- (npm) azure-functions-templates-build:1.0.0
- (npm) berachain-metadata:1.0.1
- (npm) pp-react-theme:1.0.0
- (npm) pp-react-icons:1.0.1
- (npm) pp-react-icons:1.0.0
- (npm) pp-react-country-input:1.0.0
- (npm) design-system-components-angular-workspace:1.1.13
- (npm) react-markdown-v7:1.3.9
- (npm) esm-package:7.0.2
- (npm) enrichable-markdown-render:20.0.0
- (npm) eslint-plugin-rdv-insertion:6.99.99
- (npm) eslint-plugin-rdv-insertion:7.99.99
- (npm) library-website:6.0.2
- (npm) agent-patterns:99.11.9
- (npm) realtime-demo:99.11.9
- (npm) hb-otc:10.15.0
- (npm) ngi-core:1.0.0
- (npm) newrelic-infrastructure:8.9.1
- (npm) hb-otc:10.17.0
- (npm) moodle-core-widget-focusafterclose:1.2.0
- (npm) moodle-core-tooltip:1.2.0
- (npm) yui2-animation:2.2.0
- (npm) nexus-ai-frontend:7.7.8
- (npm) @huobi-lib/vulcan-js-sdk:10.10.0
- (npm) file-dependency:7.0.1
Secure Your Open Source Dependencies against Vulnerabilities and Malicious Code
Malware isn’t just a theoretical risk anymore, it’s already hiding in public packages. With Xygeni’s Early Malware Detection, you can reduce exposure by catching threats as soon as they’re published, before they reach your pipeline.
Our real-time scanning and prioritization engine continuously monitors public registries like npm and PyPI. Malicious packages are blocked, flagged, and ranked based on impact, so you know exactly what needs fixing, and when. Whether it’s typosquatting, dependency confusion, or credential stealers, we help your team stay ahead.
If you want full visibility into weekly and monthly findings, check the complete Malicious Code Digest.
Stay secure. Stay fast. Stay in control with Xygeni.
