Try Free      
Book a Demo
MALICIOUS CODE

Xygeni Malicious Code Digest 47

  • Last Updated: October 31, 2025

Table of Contents

Must-Read posts

Latest posts of interest

Every week, our malware detection systems scan thousands of new and updated packages across public registries like npm and PyPI. This time, we confirmed over 124 malicious packages, ranging from typosquatting and credential stealers to backdoored libraries designed to slip past basic scanners.

This weekly snapshot is part of our ongoing Malicious Code Digest, where we publish continuous findings, confirm emerging threats, and help DevSecOps teams protect their pipelines before damage is done. If you want full context across all confirmed packages and past incidents, be sure to check the full digest.

Let’s break down what we found this week and why it matters.

Ecosystem Package Date
npmdhemrdhs92004:1.250607.11941Oct 24, 2025
npmdhemrdhs92004:1.250607.11953Oct 24, 2025
npmdhemrdhs92004:1.250607.12009Oct 24, 2025
npmporscheofficial:2.9.9Oct 24, 2025
npm@web-ib/chevre:9000.0.0Oct 20, 2025
npm@conotion/cli:0.1.0-beta.2Oct 20, 2025
pypitikweb:1.0.4Oct 20, 2025
npmtchap-landing-page:7.0.4Oct 23, 2025
npmflight-debug:99.99.1Oct 20, 2025
npmpark-boost-v1:1.0.1Oct 21, 2025
npmeslint-plugin-react-discord:9.0.3Oct 21, 2025
npmab-testing-for-wp:1.18.3Oct 21, 2025
npmsuperbet-icons:9.9.22Oct 24, 2025
npmvue-analytics-plugin:9.9.20Oct 24, 2025
npmvue-analytics-plugin:9.9.21Oct 24, 2025
npmbaidu-tims:1.0.1Oct 24, 2025
npmbaidu-tims:1.0.2Oct 24, 2025
pypibach-news-bigdata-mcp:1.0.0Oct 20, 2025
npmbackend-template-js:1.0.0Oct 24, 2025
npm@jayandudakiya/backend-boilerplate-js:1.0.0Oct 24, 2025
npmbackend-boilerplate-js:1.0.0Oct 24, 2025
npmenjin-docs:8.0.0Oct 24, 2025
npmenjin-docs:9.0.0Oct 24, 2025
npmenjin-docs:7.0.0Oct 24, 2025
npmhyperion-react-native:1337.0.0Oct 20, 2025
npmcreate-be-boilerplate:1.0.1Oct 24, 2025
npm@nunes_nunes/loader-base:0.1.0Oct 20, 2025
npmtimes-new-mcp-server:1.0.0Oct 20, 2025
npmreact-medias:1.1.4Oct 22, 2025
npmec-component-loader:0.1.0Oct 20, 2025
npmec-component-loader:1.3.1Oct 20, 2025
npmec-component-loader:1.3.2Oct 20, 2025
npm@patterninc/react-ui:5.0.2Oct 21, 2025
npmmui-themes-extand:3.0.3Oct 21, 2025
npm@jirikobelka/server-closedloop:1.0.0Oct 21, 2025
npmclosedloop-mcp-server:1.0.0Oct 20, 2025
npmhelosifjowe2342:8.0.5Oct 20, 2025
npmsrc_components_qcreport_index_tsx:6.8.5Oct 20, 2025
npmtailwind-config-view:1.0.3Oct 21, 2025
npm@agent-velo/era:0.0.20Oct 21, 2025
npm@ledgerhq/live-common:34.52.0-nightly.0Oct 21, 2025
npmagentmono:1.0.0Oct 20, 2025
npmrainbowkit-next-app:1.0.0Oct 20, 2025
npm@ixuxoinzo/xchain-sdk:2.0.0Oct 21, 2025
npmonairos:3.5.2Oct 21, 2025
npmsrc_module_index_ts:8.2.0Oct 20, 2025
npmsrc_plugin_index_ts:6.2.0Oct 20, 2025
npmsrc_bootstrap_index_ts:7.0.5Oct 20, 2025
npm@agent-velo/era:0.0.21Oct 21, 2025
npm@agent-velo/era:0.0.22Oct 21, 2025
npm@agent-velo/era:0.1.0Oct 21, 2025
npmiwf-ant-design-draggable-modal:1.1.9Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.10Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.11Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.12Oct 24, 2025
npmmoloch:2.0.0Oct 20, 2025
npmai-protocol:3.0.0Oct 20, 2025
npmcpilot-coding-assistant:1.0.7Oct 21, 2025
npmstencyption:1.0.4Oct 21, 2025
npmsaifulhhacker.site-test:1.199.0Oct 20, 2025
npm@agent-velo/era:0.1.0Oct 21, 2025
npmiwf-ant-design-draggable-modal:1.1.9Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.10Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.11Oct 24, 2025
npmiwf-ant-design-draggable-modal:1.1.12Oct 24, 2025
npmmoloch:2.0.0Oct 20, 2025
npmai-protocol:3.0.0Oct 20, 2025
npmcpilot-coding-assistant:1.0.7Oct 21, 2025
npmstencyption:1.0.4Oct 21, 2025
npmsaifulhhacker.site-test:1.199.0Oct 20, 2025
npmqwen-code-core-main:0.0.2Oct 21, 2025
npm@underpostnet/underpost:2.85.0Oct 21, 2025
npmqwen-code-core-master:0.0.1Oct 21, 2025
npm@probelabs/probe:0.6.0-rc146Oct 21, 2025
npmnabladown.js:4.0.1Oct 21, 2025
npmrootsid:1000.99.999Oct 20, 2025
npmuswds-webcomponents:1.0.0Oct 21, 2025
npmsimmons:2.0.0Oct 20, 2025
npmtapcode:0.1.0Oct 21, 2025
npmtapcode:0.2.0Oct 21, 2025
npm@agent-velo/era:0.1.1Oct 21, 2025
npmnabladown.js:4.0.2Oct 21, 2025
npmcreate-be-boilerplate:1.0.0Oct 21, 2025
npm@probelabs/probe:0.6.0-rc148Oct 21, 2025
npmtapcode:0.3.0Oct 21, 2025
npmtapcode:0.4.0Oct 21, 2025
npm@blvckeasy/arenda-crm-core:0.1.9Oct 21, 2025
npmkexin-browser-ext:0.1.31Oct 21, 2025
npmkexin-browser-ext:0.1.32Oct 21, 2025
npmtapcode:0.5.0Oct 21, 2025
npmtapcode:0.6.0Oct 21, 2025
npmtapcode:0.7.0Oct 21, 2025
npm@vitorcen/gemini-cli-2-api:0.8.0-preview.1-5Oct 21, 2025
npm@nan0web/release:1.0.0Oct 21, 2025
npmggtech:10.0.4Oct 21, 2025
npmggtech:10.0.5Oct 21, 2025
npmggtech:10.0.6Oct 21, 2025
npmggtech:10.0.7Oct 21, 2025
npmggtech:10.0.8Oct 21, 2025
npmggtech:10.0.9Oct 21, 2025
npmeadp-code-core:0.0.14Oct 21, 2025
npm@mapcatch/three-loader-3dtiles:1.2.7Oct 21, 2025
npm@odoreltd/osiris-api:5.5.9Oct 20, 2025
npmeadp-code-core:0.0.14-alpha6Oct 21, 2025
npm@xysfe/actui:1.10.4-beta.65Oct 21, 2025
npmeadp-code-core:0.0.14-alpha7Oct 21, 2025
npmonairos:3.5.4Oct 21, 2025
npm@vitorcen/gemini-cli-2-api:0.8.0-preview.1-6Oct 21, 2025
npmsing-fest-es-logger:2025.10.20Oct 20, 2025
npmsing-fest-rq-logger:2025.10.20Oct 20, 2025
npm@maka/maka-cli:5.1.56Oct 21, 2025
npm@starbemtech/star-node-stack-helper:1.5.5Oct 21, 2025
npmshogun-tunnel:1.0.0Oct 21, 2025
npmflow-docscanner-db:10.0.0Oct 21, 2025
npm@friggframework/devtools:2.0.0--canary.461.c5013fd.0Oct 21, 2025
npmshogun-tunnel:1.0.1Oct 21, 2025
npmmyaidev-method:0.2.3Oct 21, 2025
npm@friggframework/devtools:2.0.0--canary.461.23a07de.0Oct 21, 2025
npm@maka/maka-cli:5.2.0Oct 21, 2025
npm@underpostnet/underpost:2.85.1Oct 21, 2025
npmnabladown.js:4.0.3Oct 21, 2025
npm@maka/maka-cli:5.2.1Oct 21, 2025
npm@maka/maka-cli:5.2.2Oct 21, 2025
npmzuix-dist:1.2.1Oct 21, 2025
npmlingo.dev:0.113.5Oct 21, 2025
npm@oppo-minigame/cli:3.2.5Oct 21, 2025
npmnpmrunnode-fetch-test:1337.1.0Oct 21, 2025
npmcanary-ng:1337.1.0Oct 21, 2025
npm@amirafa/vuexp:1.0.6Oct 21, 2025
npm@nhtio/lucid-resourceful:0.1.0-master-2f539c1fOct 21, 2025
npmshiprocket-invoice-export:1.0.0Oct 21, 2025
npmpdfdancer-client-typescript:1.0.10Oct 21, 2025
npmpdfdancer-client-typescript:1.0.11Oct 22, 2025
pypipdfdancer-client-python:0.2.11Oct 22, 2025
pypipdfdancer-client-python:0.2.12Oct 22, 2025
npmpdfdancer-client-typescript:1.0.9Oct 22, 2025
npm@lk_blackboxai/blackbox-cli-core:0.0.9-devOct 24, 2025
npmmediapipe:1.0.6Oct 23, 2025
npmmediapipe:1.0.9Oct 23, 2025
npmmediapipe:1.1.1Oct 23, 2025
npmmediapipe:1.1.3Oct 23, 2025
npmmediapipe:1.1.6Oct 23, 2025
npmmediapipe:1.1.8Oct 23, 2025
npmqwant-search-extension:10.0.3Oct 23, 2025
npmmediapipe:1.2.3Oct 23, 2025
npmqwant-search-extension:10.0.4Oct 23, 2025
npmmediapipe:1.2.4Oct 23, 2025
npmtchap-landing-page:7.0.3Oct 23, 2025
npmdoppler-secrets-fetch-github-action:7.0.1Oct 23, 2025
npmuser_oidc:8.0.1Oct 23, 2025
npmmediapipe:1.2.5Oct 23, 2025
npmmediapipe:1.2.6Oct 23, 2025
npmmediapipe:1.2.7Oct 23, 2025
npmmediapipe:1.2.8Oct 23, 2025
npmmediapipe:1.2.9Oct 23, 2025
npmreact-mandes:1.1.4Oct 23, 2025
npmmediapipe:1.3.0Oct 23, 2025
npmmediapipe:1.3.1Oct 23, 2025
npmmediapipe:1.3.2Oct 23, 2025
npmmediapipe:1.3.3Oct 23, 2025
npmmediapipe:1.3.4Oct 23, 2025
npmuser_oidc:8.0.2Oct 23, 2025
npmqwant-search-extension:10.0.6Oct 23, 2025
npmduckduckgo-eslint-config-poc:999.999.999Oct 23, 2025
npmmediapipe:1.3.5Oct 23, 2025
npmuser_oidc:8.0.3Oct 24, 2025
npmuser_oidc:8.0.4Oct 24, 2025

Secure Your Open Source Dependencies against Vulnerabilities and Malicious Code

Minimize risks and protect your applications from malicious packages with Xygeni Early Malware Detection. Prioritize and address the vulnerabilities that matter most. Our comprehensive solution offers real-time monitoring of your dependencies to detect and mitigate threats before they impact your software.

Managing open-source components in the current software development landscape is crucial due to the rising vulnerabilities and malicious code threats. Xygeni’s Open Source Security solution scans and blocks harmful packages upon publication, dramatically minimizing the risk of malware and vulnerabilities infiltrating your systems. Our comprehensive monitoring spans multiple public registries, ensuring all dependencies are scrutinized for safety and integrity. Xygeni enhances your team’s ability to maintain secure and reliable software projects by contextually prioritizing critical issues and facilitating streamlined remediation processes.

how-to-avoid-malware-malware-prevention-cve check

Xygeni uses multi-layered techniques to stop malicious code before it spreads. First of all, static code analysis detects obfuscation patterns, hidden payloads, and script abuse. In addition, behavioral sandboxing analyzes install hooks, runtime commands, and persistence tricks. Moreover, machine learning detection identifies zero-day npm malware and pypi malware variants missed by signature scanners. Finally, the Early Warning System monitors public repositories in real time, validates findings, and alerts DevOps teams immediately.

As a result, this combination ensures developers receive fast, actionable intelligence integrated directly into CI/CD workflows.

Why Developers Should Care About Malicious npm Packages

Modern threats rarely wait for runtime. For example, malicious npm packages often execute during installation, while pypi malicious packages hide token exfiltration or backdoors. Attackers:

  • Flip private GitHub repos to public to replicate them.
  • Exfiltrate credentials and secrets using encoded payloads.
  • Use obfuscated JavaScript loaders to deploy ransomware or botnets.

In fact, malicious open-source packages surged 156% in one year. Therefore, teams that rely only on delayed feeds or basic scanners fall behind.

What This Malware Report Tracks in npm and PyPI

This digest is the central hub for:

  • Confirmed malicious npm packages
  • Confirmed pypi malicious packages
  • Behavior-based detections of malicious code
  • Registry-confirmed incidents
  • Weekly and monthly malware report summaries
  • Historical changelog of all npm malware and pypi malware findings

In other words, it provides a single point of reference. The research team at Xygeni updates this page weekly with links to full technical analyses and GitHub IOCs.

How to Protect Against Malicious npm Packages and PyPI Malware

Because of this growing risk, organizations need strong defenses:

  • Enforce lockfile-only installs (npm ci) in CI/CD.
  • Additionally, scan dependencies pre-install with Xygeni’s Early Warning Engine.
  • Furthermore, block builds on malicious code signals using Guardrails.
  • Generate SBOMs to trace indirect dependencies and apply policies.
  • Above all, train developers to detect typosquatting, obfuscation, and suspicious install scripts.

Try Xygeni’s Malware Detection Tools

Xygeni delivers:

  • Real-time detection of malicious code, including backdoors, spyware, and ransomware.
  • In contrast to basic scanners, analysis across npm, PyPI, Maven, NuGet, RubyGems, and more.
  • Automatic build blocking when the malware report identifies risk.
  • Exploitability insights, maintainer reputation checks, and anomaly detection.
sca-tools-software-composition-analysis-tools
Prioritize, remediate, and secure your software risks
7-day free trial
No credit card required
Start Free Trial

Secure your Software Development and Delivery

with Xygeni Product Suite

Try Free
Take The Product Tour
Xygeni Logo White

© 2025 Xygeni. All rights reserved

Linkedin-in X-twitter Youtube

Products

Resources

Company

Legal