I kēlā me kēia pule, ke nānā nei kā mākou ʻōnaehana ʻike malware i nā tausani o nā pūʻolo hou a hōʻano hou ʻia ma nā papa inoa lehulehu e like me npm lāua ʻo PyPI. ʻAʻole ʻokoʻa kēia pule.
Ua hōʻoia mākou ma mua o 200 mau pūʻolo ʻino ma waena o Iune 12t a me Iune 19th, 2026, ʻo ka hapa nui ma o npm, me nā hihia hou aʻe ma PyPI. Ua ʻike ʻia kekahi mau mea ma nā hui i hoʻonohonoho ʻia, nā hoʻokuʻu ʻino i hana hou ʻia i paʻi ʻia ma lalo o nā inoa like a i ʻole ma waena o nā ʻohana pūʻolo pili loa.
ʻO ka hihia koʻikoʻi o kēia pule, ʻo ia sensivity, ka mea i hoʻopiha i ka npm me nā hoʻokuʻu mana he 70 ma ka pae 2.5.x, i hōʻoia ʻia ma nā lā he nui. ʻO nā hui koʻikoʻi ʻē aʻe i komo pū me kahi nalu o @solana-labs nā typosquats e kuhikuhi ana i ka ʻōnaehana olaola Solana (web3.js, web3-js, etherjs, spl-toke, ancor, web3js - ma waena o ʻelua mau hoʻolaha hoʻopuka kaʻawale ma Iune 7 a me Iune 8), ʻo ka @nstrlabs ohana (sdk, ixel, utils, shared-components, api-client, auth - hoʻouka kaua huikau hilinaʻi e kūʻē i kahi inoa inoa pūʻolo kūloko), ka @klapp-login-platform hui (native-sdk, oidc, routes — ke hoʻohālike nei i kahi kahua hōʻoia), internallib_v557 a internallib_v984 (nā mana he nui o nā mea hoʻopunipuni waihona puke kūloko i hūnā ʻia), pocteszep (6 mau mana i paʻi ʻia ma Iune 11), a me kahi hui o nā pono crypto a me Web3 e komo pū ana blockchain-helper-0, ethereum-kit-1, ethereum-kit-9, crypto-utils-7, wallet-sdk-9, defi-tools-39, swap-sdk-87, a farming-tools-12. ka morningstar-design-system ua puka mai ka pūʻolo ma ʻekolu mau mana ma Iune 10, e hoʻohālike ana i kahi ʻōnaehana hoʻolālā kālā kaulana.
Mai Iune 13 aku, ua wikiwiki ka wikiwiki. houzidawang806 ʻO ka hui wale nō i helu ʻia ma mua o 25 mau mana i paʻi ʻia i hoʻokahi lā, i hui pū ʻia e nā hoahānau houzidawang807 a houzidawang808. ka metrics-pipeline-d8k2 ua hoʻopuka hou ʻia ka pūʻolo ma nā mana he 21 ma waena o Iune 15 a me Iune 18 - he hoʻolaha pale mau i hoʻolālā ʻia e noho ma mua o nā papa inoa poloka. ʻO ka friendly-greeter-demo ua hoʻomau ka ʻike hou ʻia ʻana o ka pūʻolo ma nā mana āpau i loko o ka pule. Ua puka mai nā hoʻāʻo huikau hou ma lalo o xy-shared, axl-ui, loadninja-shared, carousel-controller-mixin, token-prices-cron, hemi-supply-cron, portal-backend, vault-strategies, a me kekahi mau mea ʻē aʻe - e lawe ana i nā helu mana i hoʻonui ʻia ma ka pae 999.x. He hui hou o nā inoa pono hana maʻamau me nā hopena hex maʻamau (color-utils-dee0, data-utils-d703, string-tools-be6c, type-check-816d, fmt-helpers-794b, metrics-probe-*) i ʻike ʻia ma Iune 18-19, e kūlike me ke kākau inoa nui i kākau ʻia. Ua pani ʻia ka pule me trimprompt, trimprompt-hub, claude-cup, a web3-crypto-address-utils ua hōʻoia ʻia ma Iune 19. Ma PyPI, neuralbridge-sdk (ʻelima mau mana ma waena o 4.5.x–5.1.x), deepstrain, teambot-ai, hello-test-s1, a aiaddin-agent ua hōʻoia ʻia i loko o ka pule.
ʻAʻole kēia he mau ʻano ʻē i hoʻokaʻawale ʻia. ʻO ka mea i kū i waho i kēia pule, ʻo ia ka nui o nā hoʻouka kaua huikau hilinaʻi e kūʻē i nā inoa inoa pūʻolo kūloko, nā hoʻolaha hoʻopuka mau ʻana i nā lā he nui i hoʻolālā ʻia e ʻoi aku ka lōʻihi o nā takedowns, ka hoʻomau ʻana o ka hoʻopaʻa ʻana o Web3 a me DeFi tooling (kahi ʻano i wikiwiki nui i ka makahiki 2026), a me ka hoʻohana nui ʻana i nā inoa pūʻolo generic, like me ka walaʻau i hana ʻia e pale aku i ka ʻike ʻana ma o ka hoʻohui ʻana i nā lāʻau hilinaʻi maʻamau.
ʻO kēia kiʻi paʻi hebedoma kekahi ʻāpana o kā mākou Malicious Code Digest e hoʻomau nei, kahi a mākou e hōʻoia ai i nā hoʻoweliweli hou a hāʻawi i ka ʻike hana e kōkua i nā hui DevSecOps e pale i kā lākou. pipelinema mua o ka hiki ʻana mai o ka pōʻino. E wehewehe kākou i nā mea a mākou i ʻike ai i kēia pule a me ke kumu o kona koʻikoʻi.
Mai ʻae i nā hoʻolaha i hoʻonohonoho ʻia e hōʻea i kāu Pipelines
ʻAʻole pili ka hōʻuluʻulu manaʻo o kēia pule i hoʻokahi hoʻoweliweli; akā, pili ia i ka nui. Ma mua o 200 mau pūʻolo i hōʻoia ʻia, ka hoʻomau ʻana o ka hoʻopiha ʻana i nā mana i nā lā he nui, a me nā hoʻolaha hoʻopaʻa inoa nui i kākau ʻia e holo wikiwiki ana ma mua o ka hiki i nā loiloi manual ke hahai. ʻAʻole e kali ana nā mea hoʻouka iā ʻoe e hopu.
Ka ʻIke ʻana i nā polokalamu ʻino mua o Xygeni nānā mau ʻo npm, PyPI, a me nā papa inoa ʻē aʻe, e hōʻailona ana i nā hoʻoweliweli i ka manawa o ka hoʻopuka ʻana, ʻaʻole ma hope o ko lākou pae ʻana i loko o kahi kūkulu. Ke hoʻopuka kahi hoʻolaha i 21 mau mana o ka pūʻolo ʻino like ma nā lā ʻehā, ʻaʻole e hopu kahi scan hebedoma i kekahi mea i ka manawa.
ʻO Xygeni Open Source Security hāʻawi ka hopena i kāu mau hui DevSecOps i ka ʻike manawa maoli a me ka hoʻonohonoho mua ʻana e pono ai lākou e noho ma mua o kēia ʻano kaomi i hoʻonohonoho ʻia, no laila kāu pipelineE noho maʻemaʻe me ka ʻole o ka hoʻolohi ʻana i kāu mau hui.




