Try Free      
Book a Demo
MALICIOUS CODE

Xygeni Malicious Code Digest 52

  • Last Updated: December 5, 2025

Table of Contents

Must-Read posts

Latest posts of interest

Every week, our malware detection systems scan thousands of new and updated packages across public registries like npm and PyPI. This time, we confirmed over 140 malicious packages, ranging from typosquatting and credential stealers to backdoored libraries designed to slip past basic scanners.

This weekly snapshot is part of our ongoing Malicious Code Digest, where we publish continuous findings, confirm emerging threats, and help DevSecOps teams protect their pipelines before damage is done. If you want full context across all confirmed packages and past incidents, be sure to check the full digest.

Let’s break down what we found this week and why it matters.

Ecosystem Package Date
npmtailwind-state:1.0.3Dec 1, 2025
npmtailwindcss-forms:1.0.3Dec 1, 2025
npmswissriffle:1.0.0Dec 1, 2025
pypidiscord-selfsbotsx:1.0.0Dec 1, 2025
npmvault-watcher:8.0.0Dec 4, 2025
npmcodemirror-5:2.0.0Dec 2, 2025
npmnode-calculator-x7k9-evil:9999.9.9999Dec 1, 2025
npmx402-legacy:4.0.0Dec 1, 2025
npmwfui-dsm-react-ui:99.99.1Dec 3, 2025
npmteeseest:1.6.2Dec 3, 2025
npmsolomon-v3-stories:1.15.6Dec 2, 2025
npmsolomon-v3-stories:1.15.5Dec 2, 2025
npmdata-xabit:1.2.2Dec 2, 2025
npmchia-gaming-lobby-connection:2.2.2Dec 2, 2025
npmchain-selectors:2.2.2Dec 2, 2025
npmcom.unity.sharp-zip-lib:2.0.0Dec 2, 2025
npmbr2s-ui-componentlibrary_r2:4.0.0Dec 2, 2025
npmbtc-transaction-helper:1.0.0Dec 2, 2025
npmeslint-plugin-react-hooks-published:1.0.0Dec 2, 2025
npmliblynxtextra.so:2.0.0Dec 2, 2025
npmhandtalk-test-app:1.0.0Dec 1, 2025
npm@hand-talk/yotta-core:999.0.0Dec 1, 2025
npm@hand-talk/yotta-core:9991.0.0Dec 1, 2025
npmbrowser-client-neptune:99.99.90Dec 1, 2025
npmbrowser-client-neptune:99.99.91Dec 1, 2025
npmx402-legacy:3.0.0Dec 2, 2025
npmx402-legacy:5.0.0Dec 2, 2025
npmlibdebugrouter.so:2.1.0Dec 2, 2025
npmlibdebugrouter.so:2.0.0Dec 2, 2025
npmm365-action-sdk:5.0.0Dec 2, 2025
npmvitest-environment-jsdom-patched:5.0.0Dec 2, 2025
npmx402-legacy:5.0.9Dec 2, 2025
npmelf-stats-mulled-stockpile-411:1.999.0Dec 1, 2025
npmx402-legacy:2.0.0Dec 2, 2025
npmchia-gaming-lobby-connection:3.2.2Dec 2, 2025
npmliblynxtextra.so:3.0.0Dec 2, 2025
npmlibdebugrouter.so:3.1.0Dec 2, 2025
npmeslint-plugin-react-hooks-published:3.0.0Dec 2, 2025
npmchain-selectors:2.0.0Dec 2, 2025
npmchain-selectors:3.0.0Dec 2, 2025
npmeslint-plugin-react-hooks-published:5.0.0Dec 2, 2025
npmliblynxtextra.so:5.0.0Dec 2, 2025
npmliblynxtextra.so:6.0.0Dec 2, 2025
npmliblynxtextra.so:7.0.0Dec 2, 2025
npmliblynxtextra.so:8.0.0Dec 2, 2025
npmliblynxtextra.so:9.0.0Dec 2, 2025
npmchain-selectors:4.0.0Dec 2, 2025
npmliblynxtextra.so:9.1.0Dec 2, 2025
npmchain-selectors:9.1.0Dec 2, 2025
npmeslint-plugin-react-hooks-published:9.1.0Dec 2, 2025
npmcom.unity.sharp-zip-lib:9.1.0Dec 2, 2025
npmlibdebugrouter.so:3.1.2Dec 2, 2025
npmx402-legacy:9.2.0Dec 2, 2025
npmchia-gaming-lobby-connection:1.2.2Dec 2, 2025
npmbabel-plugin-standalone:4.2.0Dec 2, 2025
npmbabel-plugin-standalone:4.1.0Dec 2, 2025
npmbabel-plugin-standalone:5.2.0Dec 2, 2025
npmumap-wasm:2.0.0Dec 2, 2025
npmelf-stats-starlit-cookie-705:1.0.0Dec 1, 2025
npmelf-stats-sparkly-cocoa-863:1.0.0Dec 1, 2025
npmelf-stats-bright-star-712:1.0.1Dec 4, 2025
npmelf-stats-fuzzy-mitten-891:3.0.0Dec 1, 2025
npmelf-stats-northbound-wishlist-684:1.0.0Dec 1, 2025
npmelf-stats-lanternlit-fir-106:2.0.0Dec 1, 2025
npmelf-stats-wintry-hammer-196:2.0.0Dec 1, 2025
npmelf-stats-joyous-toy-475:1.2.0Dec 1, 2025
npm7715-permissions-shared:2.0.0Dec 2, 2025
npmold-hd-keyring:2.0.0Dec 2, 2025
npmbrowser-client-neptune:99.99.92Dec 2, 2025
npmelf-stats-cheery-satchel-119:1.0.0Dec 2, 2025
npmelf-stats-snowdusted-wishlist-166:1.0.1Dec 2, 2025
npmelf-stats-cosy-stockpile-694:1.0.1Dec 2, 2025
npmjz-test-npm:114.8.10Dec 2, 2025
npmjz-test-npm:114.8.114Dec 2, 2025
npmwfui-dbd-react-ui:99.9.1Dec 3, 2025
npmkkkarem:2.0.0Dec 3, 2025
npmkkkaremn:1.0.0Dec 3, 2025
npmkaremz:1.0.0Dec 3, 2025
npmkmz1:1.0.0Dec 3, 2025
npmkaremz:2.0.0Dec 3, 2025
npmkaremzz:2.0.0Dec 3, 2025
npmkaremz:5.0.0Dec 3, 2025
npmkmnb:1.0.0Dec 3, 2025
npmkkkaremn:7.0.0Dec 3, 2025
npmkkkaremn:8.0.0Dec 3, 2025
npmkkkaremnn:11.0.0Dec 3, 2025
npmkkkaremnnn:1.0.0Dec 3, 2025
npmkarem4:1.0.0Dec 3, 2025
npmkarem3:1.0.0Dec 3, 2025
npmkarem3:2.0.0Dec 3, 2025
npmkarem5:1.0.0Dec 3, 2025
npmkarem7:1.0.0Dec 3, 2025
npmkarem8:1.0.0Dec 3, 2025
npmkarem9:1.0.0Dec 3, 2025
npmkarem10:1.0.0Dec 3, 2025
npmkaremm1:1.0.0Dec 3, 2025
npmkarem6:1.0.0Dec 3, 2025
npmkarem2:1.0.0Dec 3, 2025
npmkaremm3:1.0.0Dec 3, 2025
npmkaremm4:1.0.0Dec 3, 2025
npmkaremm6:1.0.0Dec 3, 2025
npmkaremm5:1.0.0Dec 3, 2025
npmkaremm7:1.0.0Dec 3, 2025
npmkaremm2:1.0.0Dec 3, 2025
npmkarem1:1.0.0Dec 3, 2025
npmphx-core:1.0.0Dec 3, 2025
npmelf-stats-storybook-reindeer-552:2.0.0Dec 3, 2025
npmelf-stats-storybook-reindeer-552:2.0.4Dec 3, 2025
npmelf-stats-storybook-reindeer-552:2.0.5Dec 3, 2025
npmelf-stats-starlit-mitten-980:1.2.23Dec 3, 2025
npmelf-stats-starlit-mitten-980:1.2.22Dec 3, 2025
npmelf-stats-joyous-mailbag-164:1.0.18Dec 3, 2025
npmelf-stats-starlit-mitten-980:1.2.24Dec 3, 2025
npmelf-stats-joyous-mailbag-164:1.0.19Dec 3, 2025
npmelf-stats-festive-train-714:1.0.0Dec 3, 2025
npmelf-stats-bright-cushion-246:2.2.0Dec 3, 2025
npmelf-stats-bright-cushion-246:3.0.0Dec 3, 2025
npmelf-stats-bright-cushion-246:5.0.0Dec 3, 2025
npmelf-stats-fuzzy-sparkler-922:99.9.9Dec 3, 2025
npmelf-stats-snowy-train-565:1.0.0Dec 3, 2025
npmelf-stats-snowy-train-565:1.0.1Dec 3, 2025
npmelf-stats-evergreen-mailbag-606:99.0.0Dec 3, 2025
npmelf-stats-snuggly-cookie-673:2.0.0Dec 3, 2025
npmelf-stats-evergreen-mailbag-606:99.0.3Dec 3, 2025
npmelf-stats-merry-cookiejar-915:1.0.0Dec 3, 2025
npmelf-stats-snuggly-cookie-673:2.1.0Dec 3, 2025
npmelf-stats-candystriped-hollyberry-986:99.0.0Dec 3, 2025
npmelf-stats-snuggly-cookie-673:2.2.1Dec 3, 2025
npmelf-stats-merry-cookiejar-987:1.0.0Dec 3, 2025
npmelf-stats-rooftop-stockpile-626:99.0.2Dec 3, 2025
npmelf-stats-merry-cookiejar-987:1.0.1Dec 3, 2025
npmelf-stats-merry-cookiejar-987:1.0.4Dec 3, 2025
npmelf-stats-rooftop-stockpile-626:99.0.6Dec 3, 2025
npmelf-stats-fuzzy-ornament-236:1.0.0Dec 3, 2025
npmelf-stats-frostbitten-reindeer-875:1.0.0Dec 3, 2025
npmelf-stats-merry-cookiejar-754:1.0.0Dec 3, 2025
npmelf-stats-rooftop-stockpile-626:99.0.12Dec 3, 2025
npmelf-stats-rooftop-stockpile-626:99.0.14Dec 3, 2025
npmelf-stats-cranberry-sleigh-853:1.0.2Dec 3, 2025
npmelf-stats-cranberry-sleigh-853:1.0.3Dec 3, 2025
npmelf-stats-piney-icicle-501:1.0.2Dec 3, 2025
npmelf-stats-wintry-icicle-283:1.0.0Dec 3, 2025
npmelf-stats-evergreen-sled-681:1.0.0Dec 3, 2025
npmelf-stats-cranberry-sleigh-853:1.0.5Dec 3, 2025
npmelf-stats-sparkly-garland-970:1.0.1Dec 3, 2025
npmelf-stats-sparkly-garland-970:1.0.0Dec 3, 2025
npmelf-stats-sparkly-garland-970:1.0.2Dec 3, 2025
npmelf-stats-peppermint-hollyberry-893:1.0.0Dec 3, 2025
npmelf-stats-glittering-cookie-772:1.0.0Dec 3, 2025
npmelf-stats-cosy-sleigh-356:99.0.0Dec 3, 2025
npmelf-stats-sparkly-garland-970:1.0.3Dec 3, 2025
npmelf-stats-aurora-drum-979:1.0.0Dec 3, 2025
npmelf-stats-rooftop-garland-184:1.0.0Dec 3, 2025
npmelf-stats-aurora-drum-979:1.0.1Dec 3, 2025
npmelf-stats-snowdusted-bauble-104:1.0.0Dec 3, 2025
npmelf-stats-whimsical-rocket-922:1.0.0Dec 3, 2025
npmelf-stats-piney-icicle-501:1.0.4Dec 4, 2025
npmelf-stats-snuggly-workshop-421:9999.0.5Dec 3, 2025
npmelf-stats-piney-icicle-501:1.0.5Dec 4, 2025
npmelf-stats-whimsical-ledger-767:1.0.1Dec 3, 2025
npmelf-stats-piney-icicle-501:1.0.6Dec 4, 2025
npmelf-stats-cocoa-mitten-558:1.0.0Dec 3, 2025
npmelf-stats-joyous-toy-711:1.0.0Dec 3, 2025
npmelf-stats-starlit-rocket-905:1.0.0Dec 3, 2025
npmelf-stats-piney-icicle-501:1.0.8Dec 4, 2025
npmelf-stats-whimsical-pantry-173:1.0.0Dec 3, 2025
npmelf-stats-starlit-ribbon-255:1.0.1Dec 4, 2025
npmelf-stats-sparkly-sled-484:1.0.0Dec 4, 2025
npmelf-stats-mistletoe-cookie-256:1.0.1Dec 4, 2025
npmelf-stats-sleighing-lantern-878:1.1.3Dec 4, 2025
npmelf-stats-sparkly-toolkit-821:1.0.4Dec 4, 2025
npmelf-stats-merry-cookiejar-442:1.0.0Dec 4, 2025
npmelf-stats-sparkly-ribbon-167:1.1.1Dec 4, 2025
npmhast-util-to-mdast9:9.0.0Dec 4, 2025
npmelf-stats-gingersnap-ornament-469:9.0.0Dec 4, 2025
npmelf-stats-gingersnap-ornament-469:9.0.1Dec 4, 2025
npmelf-stats-gingersnap-ornament-469:9.1.1Dec 4, 2025
npmremark-mdx2.3:9.0.0Dec 4, 2025
npmelf-stats-merry-cookiejar-646:1.0.0Dec 4, 2025
npmremark-parse10:10.0.0Dec 4, 2025
npmelf-stats-sugarplum-cookiejar-287:99.0.0Dec 4, 2025
npmelf-stats-cosy-sparkler-518:1.0.0Dec 4, 2025
npmelf-stats-candystriped-chimney-879:99.0.0Dec 4, 2025
npmelf-stats-cocoa-workshop-459:1.0.1Dec 4, 2025
npmelf-stats-evergreen-nightcap-747:1.0.3Dec 4, 2025
npmelf-stats-evergreen-nightcap-747:1.0.8Dec 4, 2025
npmelf-stats-evergreen-nightcap-747:1.3.1Dec 4, 2025
npmelf-stats-evergreen-nightcap-747:2.0.0Dec 4, 2025
npmvolume-viz:5.5.5Dec 4, 2025
npmphx-core1:8.0.0Dec 4, 2025
npmphx-core2:8.0.0Dec 4, 2025
npmphx-core3:8.0.0Dec 4, 2025
npmphx-core5:8.0.0Dec 4, 2025
npmphx-core4:8.0.0Dec 4, 2025
npmsd-notexsit:999.0.0Dec 4, 2025
npmsd-notexsit:999.0.1Dec 4, 2025
npmsd-notexsit:999.0.2Dec 4, 2025
npmsd-notexsit:999.0.22Dec 4, 2025
npmsd-notexsit:999.0.4Dec 4, 2025
npmsd-notexsit:999.0.41Dec 4, 2025

Secure Your Open Source Dependencies against Vulnerabilities and Malicious Code

Minimize risks and protect your applications from malicious packages with Xygeni Early Malware Detection. Prioritize and address the vulnerabilities that matter most. Our comprehensive solution offers real-time monitoring of your dependencies to detect and mitigate threats before they impact your software.

Managing open-source components in the current software development landscape is crucial due to the rising vulnerabilities and malicious code threats. Xygeni’s Open Source Security solution scans and blocks harmful packages upon publication, dramatically minimizing the risk of malware and vulnerabilities infiltrating your systems. Our comprehensive monitoring spans multiple public registries, ensuring all dependencies are scrutinized for safety and integrity. Xygeni enhances your team’s ability to maintain secure and reliable software projects by contextually prioritizing critical issues and facilitating streamlined remediation processes.

how-to-avoid-malware-malware-prevention-cve check

Xygeni uses multi-layered techniques to stop malicious code before it spreads. First of all, static code analysis detects obfuscation patterns, hidden payloads, and script abuse. In addition, behavioral sandboxing analyzes install hooks, runtime commands, and persistence tricks. Moreover, machine learning detection identifies zero-day npm malware and pypi malware variants missed by signature scanners. Finally, the Early Warning System monitors public repositories in real time, validates findings, and alerts DevOps teams immediately.

As a result, this combination ensures developers receive fast, actionable intelligence integrated directly into CI/CD workflows.

Why Developers Should Care About Malicious npm Packages

Modern threats rarely wait for runtime. For example, malicious npm packages often execute during installation, while pypi malicious packages hide token exfiltration or backdoors. Attackers:

  • Flip private GitHub repos to public to replicate them.
  • Exfiltrate credentials and secrets using encoded payloads.
  • Use obfuscated JavaScript loaders to deploy ransomware or botnets.

In fact, malicious open-source packages surged 156% in one year. Therefore, teams that rely only on delayed feeds or basic scanners fall behind.

What This Malware Report Tracks in npm and PyPI

This digest is the central hub for:

  • Confirmed malicious npm packages
  • Confirmed pypi malicious packages
  • Behavior-based detections of malicious code
  • Registry-confirmed incidents
  • Weekly and monthly malware report summaries
  • Historical changelog of all npm malware and pypi malware findings

In other words, it provides a single point of reference. The research team at Xygeni updates this page weekly with links to full technical analyses and GitHub IOCs.

How to Protect Against Malicious npm Packages and PyPI Malware

Because of this growing risk, organizations need strong defenses:

  • Enforce lockfile-only installs (npm ci) in CI/CD.
  • Additionally, scan dependencies pre-install with Xygeni’s Early Warning Engine.
  • Furthermore, block builds on malicious code signals using Guardrails.
  • Generate SBOMs to trace indirect dependencies and apply policies.
  • Above all, train developers to detect typosquatting, obfuscation, and suspicious install scripts.

Try Xygeni’s Malware Detection Tools

Xygeni delivers:

  • Real-time detection of malicious code, including backdoors, spyware, and ransomware.
  • In contrast to basic scanners, analysis across npm, PyPI, Maven, NuGet, RubyGems, and more.
  • Automatic build blocking when the malware report identifies risk.
  • Exploitability insights, maintainer reputation checks, and anomaly detection.
sca-tools-software-composition-analysis-tools
Prioritize, remediate, and secure your software risks
7-day free trial
No credit card required
Start Free Trial

Secure your Software Development and Delivery

with Xygeni Product Suite

Try Free
Take The Product Tour
Xygeni Logo White

© 2025 Xygeni. All rights reserved

Linkedin-in X-twitter Youtube

Products

Resources

Company

Legal