Sažetak zlonamjernog koda 75

Xygeni sažetak zlonamjernog koda 75

Svake sedmice, naši sistemi za detekciju zlonamjernog softvera skeniraju hiljade novih i ažuriranih paketa u javnim registrima poput npm-a i PyPI-a. Ova sedmica nije bila izuzetak.

We confirmed over 200 malicious packages between June 12t and June 19th, 2026, predominantly across npm, with additional cases in PyPI. Several appeared in coordinated clusters, repeated malicious releases published under the same names or across closely related package families.

The standout case this week was sensivity, which flooded npm with over 70 versioned releases across the 2.5.x range, confirmed across multiple days. Other notable clusters included a wave of @solana-labs typosquats targeting the Solana ecosystem (web3.js, web3-js, etherjs, spl-toke, ancor, web3js — across two separate publishing campaigns on Jun 7 and Jun 8), the @nstrlabs porodica (sdk, ixel, utils, shared-components, api-client, auth — dependency confusion attack against an internal package namespace), the @klapp-login-platform grupa (native-sdk, oidc, routes — impersonating an authentication platform), internallib_v557 i internallib_v984 (multiple versions of obfuscated internal library impostors), pocteszep (6 versions published on Jun 11), and a cluster of crypto and Web3 utilities including blockchain-helper-0, ethereum-kit-1, ethereum-kit-9, crypto-utils-7, wallet-sdk-9, defi-tools-39, swap-sdk-87, I farming-tools-12. The morningstar-design-system package appeared in three versions on Jun 10, impersonating a well-known financial design system.

From Jun 13 onward, the pace accelerated. The houzidawang806 cluster alone accounted for over 25 versions published in a single day, joined by siblings houzidawang807 i houzidawang808. The metrics-pipeline-d8k2 package was republished continuously across 21 versions between Jun 15 and Jun 18 — a sustained evasion campaign designed to stay ahead of blocklists. The friendly-greeter-demo package kept reappearing across versions throughout the week. New dependency confusion attempts surfaced under xy-shared, axl-ui, loadninja-shared, carousel-controller-mixin, token-prices-cron, hemi-supply-cron, portal-backend, vault-strategies, and several others — all carrying inflated version numbers in the 999.x range. A fresh cluster of generic utility names with random hex suffixes (color-utils-dee0, data-utils-d703, string-tools-be6c, type-check-816d, fmt-helpers-794b, metrics-probe-*) appeared on Jun 18–19, consistent with scripted bulk registration. The week closed with trimprompt, trimprompt-hub, claude-cup, I web3-crypto-address-utils confirmed on Jun 19. In PyPI, neuralbridge-sdk (five versions across 4.5.x–5.1.x), deepstrain, teambot-ai, hello-test-s1, I aiaddin-agent were confirmed across the week.

These were not isolated anomalies. What stood out this week was the concentration of dependency confusion attacks against internal package namespaces, the sustained multi-day publishing campaigns designed to outlast takedowns, the continued targeting of Web3 and DeFi tooling (a pattern that has accelerated significantly in 2026), and a growing use of generic, noise-like package names engineered to evade detection by blending into normal dependency trees.

Ovaj sedmični pregled je dio našeg tekućeg pregleda zlonamjernog koda, gdje provjeravamo nove prijetnje i pružamo korisne obavještajne podatke kako bismo pomogli DevSecOps timovima da zaštite svoje pipelineprije nego što dođe do štete. Hajde da analiziramo šta smo otkrili ove sedmice i zašto je to važno.

Ekosistem paket Potvrđeno
npmecto-corsair-whisper-6f3b9:1.0.18Juni 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.17Juni 12, 2026
npmecto-nightly-spirit:1.1.0Juni 12, 2026
npmecto-corsair-flag-x9m4:1.0.0Juni 12, 2026
npmecto-rust-read-f3a9c1:1.0.2Juni 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.16Juni 12, 2026
npmecto-rust-read-f3a9c1:1.0.1Juni 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.15Juni 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.14Juni 12, 2026
npminternallib_v984:1.0.3Juni 15, 2026
npminternallib_v984:1.0.4Juni 15, 2026
npminternallib_v984:1.0.2Juni 15, 2026
npminternallib_v557:1.0.4Juni 15, 2026
npminternallib_v557:1.0.7Juni 15, 2026
npminternallib_v557:1.0.9Juni 15, 2026
npminternallib_v557:1.0.10Juni 15, 2026
npminternallib_v557:1.0.15Juni 15, 2026
npminternallib_v557:1.0.16Juni 15, 2026
npminternallib_v557:1.0.18Juni 15, 2026
npmkoraljni-utvara:1.0.0Juni 12, 2026
npminternallib_v557:1.0.21Juni 15, 2026
npminternallib_v557:1.0.22Juni 15, 2026
npmnpm-sandbox-research-d7e8:1.0.0Juni 18, 2026
npmnpm-sandbox-research-a1b2:1.0.0Juni 18, 2026
npmnpm-sandbox-research-c5d6:1.0.0Juni 18, 2026
npmnpm-sandbox-research-9c4e:1.0.0Juni 18, 2026
npmnpm-sandbox-research-8b2f:1.0.0Juni 18, 2026
npmnpm-sandbox-research-e9f0:1.0.0Juni 18, 2026
npmnpm-sandbox-research-f1g2:1.0.0Juni 18, 2026
npmtsc-mesh:1.0.0Juni 13, 2026
npmfriendly-greeter-demo:1.0.6Juni 13, 2026
npmfriendly-greeter-demo:1.0.4Juni 13, 2026
npmfriendly-greeter-demo:1.0.3Juni 13, 2026
npmfriendly-greeter-demo:1.0.2Juni 13, 2026
npmfriendly-greeter-demo:1.0.9Juni 13, 2026
npmtsc-ai:1.2.1Juni 13, 2026
npmtsc-lotl:1.0.2Juni 13, 2026
npmtsc-mesh:1.0.1Juni 13, 2026
npmtsc-ai:1.2.0Juni 13, 2026
pypineuralbridge-sdk:4.5.4Juni 13, 2026
npmnpm-sandbox-research-g3h4:1.0.0Juni 18, 2026
npmpostinstall-logger-7x9z:1.0.0Juni 18, 2026
npmhouzidawang806:1.0.0Juni 13, 2026
pypineuralbridge-sdk:5.0.0Juni 13, 2026
pypineuralbridge-sdk:4.5.5Juni 13, 2026
npmhouzidawang806:1.0.1Juni 13, 2026
npmhouzidawang806:1.0.2Juni 13, 2026
npmhouzidawang806:1.0.3Juni 13, 2026
npmhouzidawang806:1.0.4Juni 13, 2026
npmhouzidawang806:1.0.5Juni 13, 2026
npmhouzidawang806:1.0.6Juni 13, 2026
npmhouzidawang806:1.0.7Juni 13, 2026
npmhouzidawang806:1.0.9Juni 13, 2026
npmhouzidawang806:1.1.0Juni 13, 2026
npmhouzidawang806:1.1.1Juni 13, 2026
npmhouzidawang806:1.1.2Juni 13, 2026
npmhouzidawang806:1.1.3Juni 13, 2026
npmhouzidawang806:1.1.4Juni 13, 2026
npmhouzidawang806:1.1.5Juni 13, 2026
pypineuralbridge-sdk:5.1.0Juni 13, 2026
npmhouzidawang807:1.1.6Juni 13, 2026
npmhouzidawang806:1.1.6Juni 13, 2026
npmhouzidawang808:1.0.0Juni 13, 2026
npmhouzidawang806:1.1.7Juni 13, 2026
npmhouzidawang806:1.1.8Juni 13, 2026
npmhouzidawang806:1.2.0Juni 13, 2026
pypineuralbridge-sdk:5.1.1Juni 13, 2026
npmhouzidawang806:1.2.1Juni 13, 2026
npmhouzidawang806:1.2.3Juni 13, 2026
npmhouzidawang806:1.2.4Juni 13, 2026
npmhouzidawang806:1.2.5Juni 13, 2026
npmhouzidawang806:1.2.6Juni 13, 2026
pypineuralbridge-sdk:5.1.2Juni 13, 2026
pypideepstrain:1.1.0Juni 13, 2026
npm@jisan901/teamfocus:1.0.3Juni 13, 2026
npmxy-shared:999.0.0Juni 14, 2026
npmaxl-ui:9.9.99Juni 14, 2026
npmloadninja-shared:9.9.99Juni 14, 2026
npmnpx-whoami-demo:1.0.0Juni 14, 2026
npm@jisan901/teamfocus:1.0.4Juni 14, 2026
npmnano-perf:1.0.1Juni 14, 2026
npmtn-advertisement:5.0.1Juni 14, 2026
npmkijai:0.0.2Juni 15, 2026
npmtoken-prices-cron:999.0.0Juni 15, 2026
npmhemi-supply-cron:999.0.0Juni 15, 2026
npmportal-backend:999.0.0Juni 15, 2026
npmvault-strategies:999.0.0Juni 15, 2026
npmhemi-earn-actions:999.0.0Juni 15, 2026
npmvaults-monitor-cron:999.0.0Juni 15, 2026
npmve-hemi-rewards:999.0.0Juni 15, 2026
npmnic-datagov:1.0.0Juni 16, 2026
npmogd-analytics:1.0.0Juni 16, 2026
npmogd-platform:1.0.0Juni 16, 2026
npmdms-backend:1.0.0Juni 16, 2026
npmfriendly-greeter-demo:1.0.10Juni 16, 2026
npmfriendly-greeter-demo:1.0.11Juni 16, 2026
npmcardano-addresses-docs:1.0.1Juni 16, 2026
npmbodega-sdk:9.9.9Juni 16, 2026
npmflow-lending-sdk:9.9.9Juni 16, 2026
npmflow-lending:9.9.9Juni 16, 2026
npmsurf-lending:9.9.9Juni 16, 2026
npmjanus-ft:1.0.0Juni 16, 2026
npmjanus-flow:1.0.0Juni 16, 2026
npmjanus-erc20:1.0.0Juni 16, 2026
npmflowcardano:9.9.9Juni 16, 2026
npmflowdefi:9.9.9Juni 16, 2026
pypihello-test-s1:0.3.1Juni 16, 2026
npmpkg-telemetry-r4f9:1.0.0Juni 18, 2026
npmmailconfirmer:3.3.46Juni 16, 2026
npmcarousel-controller-mixin:999.0.0Juni 16, 2026
npmruntime-metrics-w7k2:1.0.0Juni 18, 2026
npmmailconfirmer:3.3.48Juni 16, 2026
npmbuild-tracker-n5p1:1.0.0Juni 16, 2026
npmnpm-sandbox-ping-r9t2:1.0.0Juni 18, 2026
npmevent-metrics-q3x7:1.0.2Juni 16, 2026
npmevent-metrics-q3x7:1.0.1Juni 16, 2026
npmevent-metrics-q3x7:1.0.0Juni 16, 2026
npmevent-metrics-q3x7:1.0.3Juni 16, 2026
npmevent-metrics-q3x7:1.0.4Juni 16, 2026
npmevent-metrics-q3x7:1.0.5Juni 16, 2026
npmevent-metrics-q3x7:1.0.6Juni 16, 2026
npmevent-metrics-q3x7:1.0.7Juni 16, 2026
npmevent-metrics-q3x7:1.0.8Juni 16, 2026
npmmetrics-pipeline-d8k2:1.0.0Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.1Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.2Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.3Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.4Juni 18, 2026
pypiteambot-ai:1.48.0Juni 17, 2026
npmmetrics-pipeline-d8k2:1.0.5Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.6Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.7Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.8Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.9Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.10Juni 18, 2026
npmfriendly-greeter-demo:1.0.13Juni 17, 2026
npmfriendly-greeter-demo:1.0.14Juni 17, 2026
npmmetrics-pipeline-d8k2:1.0.11Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.12Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.13Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.14Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.15Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.16Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.17Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.18Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.19Juni 18, 2026
npmmetrics-pipeline-d8k2:1.0.20Juni 18, 2026
npmcryptodao-contracts:99.99.99Juni 17, 2026
npmcryptodao-types:99.99.99Juni 17, 2026
npmcryptodao-config:99.99.99Juni 17, 2026
npmcryptodao-utils:99.99.99Juni 17, 2026
npmcryptodao-backend:99.99.99Juni 17, 2026
npmcryptodao-sdk:99.99.99Juni 17, 2026
npmcryptodao-core:99.99.99Juni 17, 2026
npmcryptodao-bot:99.99.99Juni 17, 2026
npmcryptodao-signer:99.99.99Juni 17, 2026
npmcryptodao-deploy:99.99.99Juni 17, 2026
npmmetrics-probe-64b2:1.0.0Juni 18, 2026
npmmetrics-probe-dc85:1.0.0Juni 18, 2026
npmmetrics-probe-77d4:1.0.0Juni 18, 2026
npm@public-for-cdao/core:99.99.99Juni 17, 2026
npmmetrics-probe-88ad:1.0.0Juni 18, 2026
npmwrspati:0.1.0Juni 18, 2026
npmebpf-tracker-action:1.0.1Juni 18, 2026
npm@azure-lab-services/ml-ts:99.0.0Juni 18, 2026
npmlab-services:99.0.0Juni 18, 2026
npmscan-only:0.4.5Juni 18, 2026
npmscan-only:0.4.6Juni 18, 2026
npmscan-only:0.4.7Juni 18, 2026
npmscan-only:0.4.8Juni 18, 2026
npm@muaththir/api:2.0.0Juni 18, 2026
npmbackoffice-charges-module:2.999.1Juni 18, 2026
npmbackoffice-charges-module:2.999.0Juni 18, 2026
npmscan-only:0.4.9Juni 18, 2026
npmscan-only:0.5.0Juni 18, 2026
npmscan-only:0.5.1Juni 18, 2026
npmscan-only:1.0.0Juni 18, 2026
npmnano-perf:2.0.0Juni 18, 2026
npmnano-perf:2.0.1Juni 18, 2026
npmnano-perf:2.1.0Juni 18, 2026
npmnano-perf:2.2.0Juni 18, 2026
npmmetrics-probe-f256:1.0.0Juni 18, 2026
npmcolor-utils-dee0:1.0.0Juni 18, 2026
npmdata-utils-d703:1.0.0Juni 18, 2026
npmstring-tools-be6c:1.0.0Juni 18, 2026
npmtype-check-816d:1.0.0Juni 18, 2026
npmfmt-helpers-794b:1.0.0Juni 18, 2026
npmdatacamp-light:1.0.0Juni 18, 2026
npmdata-utils-bcf2:1.0.0Juni 19, 2026
npmstream-read-35cf:1.0.0Juni 19, 2026
npmdelta-time-32bb:1.0.0Juni 19, 2026
npmsafe-json-38bd:1.0.0Juni 19, 2026
npmhex-conv-ae7a:1.0.0Juni 19, 2026
npmbuffer-wrap-67d7:1.0.0Juni 19, 2026
npmtrimprompt:1.0.2Juni 19, 2026
npmtrimprompt:1.0.4Juni 19, 2026
npmtrimprompt-hub:1.0.1Juni 19, 2026
npmclaude-cup:0.8.6Juni 19, 2026
pypiaiaddin-agent:0.1.0Juni 19, 2026
npmweb3-crypto-address-utils:0.1.0Juni 19, 2026

Don’t Let Coordinated Campaigns Reach Your Pipelines

This week’s digest was not about a single threat;  it was about scale. Over 200 confirmed packages, sustained version flooding across multiple days, and scripted bulk registration campaigns running faster than manual reviews can track. The attackers are not waiting for you to catch up.

Xygeni rano otkrivanje zlonamjernog softvera monitors npm, PyPI, and other registries continuously, flagging threats at the moment of publication, not after they’ve landed in a build. When a campaign publishes 21 versions of the same malicious package across four days, a weekly scan catches nothing in time.

Xygeni's Open Source Security Rješenje pruža vašim DevSecOps timovima vidljivost i prioritizaciju u stvarnom vremenu koja im je potrebna kako bi ostali ispred upravo ovakvog koordiniranog pritiska, tako da vaš pipelineOstanite čisti bez usporavanja vaših timova.

sca-tools-software-alati-za-analizu-sastava
Prioritizirajte, sanirajte i osigurajte softverske rizike
Nabavite svoj besplatni račun.
Nije potrebna kreditna kartica.

Osigurajte svoj razvoj i isporuku softvera

sa Xygeni paketom proizvoda