Resumo de código malicioso de xuño

Resumo mensual de Malicious Code Digest: xuño

Benvido ao June edition of the Xygeni Malicious Code Digest. This month, our security research team confirmed more than 645 paquetes maliciosos across npm, PyPI, and (for the first time) the VSCode extension marketplace.

June was defined by three converging trends: sustained version-flooding campaigns designed to outlast blocklists, a sharp acceleration in attacks targeting AI tooling and agentic development workflows, and coordinated dependency confusion attacks against internal monorepo namespaces.

Among the most notable campaigns documented this month:

  • sensibilidade flooded npm with over 70 versions across the 2.5.x range, a sustained evasion campaign republishing continuously to stay ahead of takedowns.
  • A two-wave Solana typosquat campaign (June 7–8) published 15 packages impersonating @solana-labs ecosystem tooling, targeting Web3 and DeFi developers directly.
  • houzidawang806 accounted for over 25 versions in a single day (June 13), joined by metrics-pipeline-d8k2 republished across 21 versions between June 15–18.
  • o CryptoDAO Confusion campaign (June 17) published 11 packages at version 99.99.99, each carrying an identical postinstall payload sweeping CI/CD tokens, cloud credentials, and crypto wallet secrets. 
  • The week of June 20–26 brought the most concentrated AI tooling targeting of the month: axudantes de ollama (20 versions), axudantes-de-axentes-de-openai (23 versions), monoclaude, axudantes-ai-sdke @langgraphjs/toolkit, all confirmed in a single week, directly targeting Ollama, OpenAI agents SDK, LangGraph, and Claude API integrations.
  • Two confirmed malicious VSCode extensions appeared this month, signaling that attackers are expanding beyond package registries into the developer environment itself.

The defining pattern of June: attacks are moving into IDE extensions, AI agent tooling, and agentic workflows where a malicious package installed autonomously has no human reviewer between infection and execution.

This monthly update is part of Xygeni’s ongoing malware and supply chain threat research initiative. For full context across every malicious package confirmed this month, explore the complete June Malicious Code Digest and related research from the Xygeni Security Team.

Semana 4: Máis de 201 paquetes descubertos

Ecosystem Paquete data
Xuño 20, 2026
npmpanrouter:5.0.2 + 30 versions across 5.x–6.x range through Jun 22 — dominant campaign of the weekXuño 20, 2026
npmtrimprompt:1.0.5 + 4 versions — continuation from previous week, still activeXuño 20, 2026
npmmonoclaude:1.0.1 + 2 versions — Claude API tooling impersonationXuño 20, 2026
vscodeorbit-agentic-pair-programming-for-smalltalk:1.206.0 + 1 version — malicious VSCode extension targeting agentic developmentXuño 20, 2026
npmsimplisafe-gatsby:1.0.1 Smart home platform namespace impersonationXuño 20, 2026
Xuño 21, 2026
npmatlasora-shared:1.0.0 + 6 packages — coordinated monorepo dependency confusion: atlasora-api, -client, -sdk, -types, -utils, -configXuño 21, 2026
npmapintergrationpost:4.0.2 + 6 versions — deliberate misspelling campaign targeting integration toolingXuño 21, 2026
npmllm-traces-app:1.0.1 LLM observability tooling targetedXuño 21, 2026
pypid0rk3r-telemetry:1.0.0 Obfuscated telemetry package in PyPIXuño 21, 2026
Xuño 22, 2026
pypitm-ai:2.91.75 + 7 versions — sustained PyPI version flooding campaignXuño 22, 2026
pypirequest-cache-py:1.0.4 + 6 versions — PyPI version floodingXuño 22, 2026
pypicorvinos:0.17.0 + 6 versions — PyPI bulk registration campaignXuño 22, 2026
Xuño 23, 2026
npmweb3-token-helper:1.1.1 + 2 versions — Web3 token utility targetingXuño 23, 2026
npmmonocross:1.0.1 + 1 version — mono-* naming cluster alongside monoclaude and monotacosXuño 23, 2026
Xuño 24, 2026
npmollama-helpers:0.1.0 + 19 versions — largest AI tooling campaign of the month, targeting Ollama local AI runtimeXuño 24, 2026
npmopenai-agents-helpers:0.1.1 + 22 versions — coordinated campaign targeting OpenAI agents SDK ecosystemXuño 24, 2026
Xuño 25, 2026
npmaxudantes-ai-sdk:1.4.3 AI SDK tooling targeted alongside @langgraphjs/toolkit:1.2.11Xuño 25, 2026
npmsignup-embedder:99.99.99-poc3 + hs-locale-management — HubSpot internal namespace dependency confusion, poc suffix confirms active research campaignXuño 25, 2026
Xuño 26, 2026
npmeasy-string-kit:1.0.1 + 8 versions including variant easy-string-kit232 — bulk registration under generic utility nameXuño 26, 2026
npmunsafe-malicious-package:1.0.0 + 5 versions — package explicitly named as malicious, confirmed payload, likely test or provocation campaignXuño 26, 2026
npm@vpms/design-system:1.1.2 + 2 versions — design system namespace impersonationXuño 26, 2026

Semana 3: Máis de 200 paquetes descubertos

Ecosystem Paquete data
Xuño 13, 2026
npmhouzidawang806:1.0.0 + 25 versions across 1.0.x–1.2.x including siblings houzidawang807 and houzidawang808 — dominant campaign of the weekXuño 13, 2026
npmfriendly-greeter-demo:1.0.2 + 4 versions — persistent campaign reappearing across multiple daysXuño 13, 2026
npmtsc-ai:1.2.0 tsc-* cluster: tsc-ai, tsc-mesh, tsc-lotl — CI tooling namespace impersonationXuño 13, 2026
pypineuralbridge-sdk:4.5.4 + 6 versions across 4.5.x–5.1.x — sustained multi-day PyPI campaignXuño 13, 2026
Xuño 15, 2026
npmtoken-prices-cron:999.0.0 + 6 packages — DeFi infrastructure dependency confusion cluster targeting internal cron and vault toolingXuño 15, 2026
Xuño 16, 2026
npmbodega-sdk:9.9.9 + 8 packages — DeFi lending and Cardano ecosystem cluster: flow-lending, surf-lending, janus-*, flowcardano, flowdefiXuño 16, 2026
npmevent-metrics-q3x7:1.0.0 + 8 versions — generic hex-suffix package registering bulk monitoring-themed namesXuño 16, 2026
npmnic-datagov:1.0.0 + 3 packages — government data platform namespace impersonation: ogd-analytics, ogd-platform, dms-backendXuño 16, 2026
Xuño 17, 2026
npmcryptodao-contracts:99.99.99 + 10 packages — CryptoDAO dependency confusion: core, sdk, bot, config, utils, deploy, signer, backend, typesXuño 17, 2026
pypiteambot-ai:1.48.0 AI agent tooling targeted in PyPIXuño 17, 2026
Xuño 18, 2026
npmmetrics-pipeline-d8k2:1.0.0 + 20 versions across Jun 18 — sustained single-day evasion campaign, republishing continuously to outlast blocklistsXuño 18, 2026
npmscan-only:0.4.5 + 6 versions — version flooding campaignXuño 18, 2026
npmcolor-utils-dee0:1.0.0 + 5 generic hex-suffix packages: data-utils, string-tools, type-check, fmt-helpers, metrics-probe — scripted bulk registrationXuño 18, 2026
npm@azure-lab-services/ml-ts:99.0.0 Azure ML namespace impersonationXuño 18, 2026
Xuño 19, 2026
npmtrimprompt:1.0.2 + trimprompt-hub — prompt engineering tooling targetedXuño 19, 2026
npmclaude-cup:0.8.6 Claude API tooling impersonationXuño 19, 2026
pypiaiaddin-agent:0.1.0 AI agent tooling targeted in PyPIXuño 19, 2026
npmweb3-crypto-address-utils:0.1.0 Web3 utility targetingXuño 19, 2026

Semana 2: Máis de 135 paquetes descubertos

Ecosystem Paquete data
Xuño 7, 2026
npm@solana-labs/web3.js:1.0.0 + 5 variants — Solana ecosystem typosquat campaign, first waveXuño 7, 2026
npm@jisan901/teamfocus:1.0.0 + 2 versionsXuño 7, 2026
npm@sflyinc-knapsack/shutterfly-react:999.0.0 Dependency confusion, inflated versionXuño 7, 2026
Xuño 8, 2026
npm@solana-labs/web3.js:1.98.102 + 9 variants — Solana ecosystem typosquat campaign, second waveXuño 8, 2026
pypihelixagentai:0.1.3 AI agent tooling targeted in PyPIXuño 8, 2026
Xuño 9, 2026
npm@nstrlabs/sdk:99.0.0 + 7 packages — dependency confusion against internal monorepo namespaceXuño 9, 2026
npm@klapp-login-platform/native-sdk:99.0.0 + 9 packages — authentication platform impersonation across multiple klapp namespacesXuño 9, 2026
npmblockchain-helper-0:1.0.0 + 7 packages — crypto/DeFi utility cluster targeting Web3 developersXuño 9, 2026
npm@card-pci-data/store:99.0.0 Payment card data namespace targetedXuño 9, 2026
Xuño 10, 2026
npmmorningstar-design-system:99.0.0 + 2 versions — financial design system impersonationXuño 10, 2026
Xuño 11, 2026
npmpocteszep:1.0.1 + 5 versions published same dayXuño 11, 2026
npm@coze-common/chat-area:99.1.1 AI chat platform namespace impersonationXuño 11, 2026
pypitelegramlite:1.0.0 + 1 version — messaging platform impersonation in PyPIXuño 11, 2026
Xuño 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.18 + 7 ecto-* variants — obfuscated name clusterXuño 12, 2026
npminternallib_v984:1.0.3 + internallib_v557 cluster — 13 versions of internal library impostorsXuño 12, 2026
npmvoyager-web:999.0.0 Dependency confusion, inflated versionXuño 12, 2026
pypicdjeez:0.32.0Xuño 12, 2026

Semana 1: Máis de 118 paquetes descubertos

Ecosystem Paquete data
Pode 30, 2026
npm@cloudplatform-single-spa/administración:99.99.100 Dependency confusion, inflated versionPode 30, 2026
vscodexestor-xampp:5.1.3 VSCode extension — developer tool impersonationPode 30, 2026
Xuño 1, 2026
npm@tse-digital/core:99.0.0 Dependency confusion — @telenor-se and @ownit also hitXuño 1, 2026
npmcms-storehub:1.3.4 + 2 versions, CMS namespace clusterXuño 1, 2026
npm@antoncallahan/aws-user-helper:6767.67.69 + 6 versions, inflated version numbers targeting AWS credentialsXuño 1, 2026
npmdocumentosdopaciente:75.0.0 Healthcare namespace targetXuño 1, 2026
npm@emcd-vue/auth:6.4.9 Crypto exchange namespace impersonationXuño 1, 2026
pypisimtooreal-cli:0.3.0Xuño 1, 2026
Xuño 2, 2026
npmsensibilidade: 2.5.8 + 70 versions across 2.5.x range, Jun 2–5 — dominant campaign of the periodXuño 2, 2026
npm@langgraphjs/conxunto de ferramentas:1.2.10 LangGraph tooling targetedXuño 2, 2026
Xuño 4, 2026
npm@sentry-browser-sdk/profiling-node:1.0.1 + 2 versions, Sentry namespace impersonationXuño 4, 2026
npminternallib_v346:1.0.3 + 2 versions, internal library impostorXuño 4, 2026
npmaxudantes-ai-sdk:0.2.1 + 7 versions, targeting AI SDK toolingXuño 4, 2026

Stop Malicious Code Before It Reaches Your Pipeline

Software supply chain threats have moved well past theoretical. Dependency confusion attacks, credential stealers, AI-targeted malware, and poisoned developer tooling are hitting real teams in real SDLCs every week.

Xygeni's detección de software malicioso supply chain security platform gives organizations the visibility to catch malicious dependencies before they execute on a developer machine, enter a build system, or reach production. Coverage spans npm, PyPI, VSCode, and beyond, monitoring for suspicious publishing patterns, namespace abuse, typosquatting, and AI-native attack techniques as they emerge.

Every finding is automatically prioritized by exploitability, reachability, and business impact, so your team focuses on what actually needs fixing, not noise.

Whether it’s a malicious open-source package, a compromised developer tool, or an AI-generated code risk, Xygeni keeps security and engineering teams one step ahead of the supply chain threat landscape.

Explore every malicious package and campaign validated by the Xygeni Security Team in the Resumo de código malicioso.

Mantéñase seguro. Mantéñase rápido. Manteña o control con Xygeni.

ferramentas-sca-tools-software-ferramentas-de-análise-de-composición
Priorizar, corrixir e protexer os riscos do software
Obtén a túa conta gratuíta.
Non se precisa tarxeta de crédito.

Asegura o desenvolvemento e a entrega do teu software

con Xygeni Product Suite