Zlonamjerni sažetak koda 75

Xygeni sažetak zlonamjernog koda 75

Svaki tjedan, naši sustavi za otkrivanje zlonamjernog softvera skeniraju tisuće novih i ažuriranih paketa u javnim registrima poput npm-a i PyPI-ja. Ovaj tjedan nije bio iznimka.

We confirmed over 200 malicious packages between June 12t and June 19th, 2026, predominantly across npm, with additional cases in PyPI. Several appeared in coordinated clusters, repeated malicious releases published under the same names or across closely related package families.

The standout case this week was sensivity, which flooded npm with over 70 versioned releases across the 2.5.x range, confirmed across multiple days. Other notable clusters included a wave of @solana-labs typosquats targeting the Solana ecosystem (web3.js, web3-js, etherjs, spl-toke, ancor, web3js — across two separate publishing campaigns on Jun 7 and Jun 8), the @nstrlabs obitelj (sdk, ixel, utils, shared-components, api-client, auth — dependency confusion attack against an internal package namespace), the @klapp-login-platform grupa (native-sdk, oidc, routes — impersonating an authentication platform), internallib_v557 i internallib_v984 (multiple versions of obfuscated internal library impostors), pocteszep (6 versions published on Jun 11), and a cluster of crypto and Web3 utilities including blockchain-helper-0, ethereum-kit-1, ethereum-kit-9, crypto-utils-7, wallet-sdk-9, defi-tools-39, swap-sdk-87i farming-tools-12, morningstar-design-system package appeared in three versions on Jun 10, impersonating a well-known financial design system.

From Jun 13 onward, the pace accelerated. The houzidawang806 cluster alone accounted for over 25 versions published in a single day, joined by siblings houzidawang807 i houzidawang808, metrics-pipeline-d8k2 package was republished continuously across 21 versions between Jun 15 and Jun 18 — a sustained evasion campaign designed to stay ahead of blocklists. The friendly-greeter-demo package kept reappearing across versions throughout the week. New dependency confusion attempts surfaced under xy-shared, axl-ui, loadninja-shared, carousel-controller-mixin, token-prices-cron, hemi-supply-cron, portal-backend, vault-strategies, and several others — all carrying inflated version numbers in the 999.x range. A fresh cluster of generic utility names with random hex suffixes (color-utils-dee0, data-utils-d703, string-tools-be6c, type-check-816d, fmt-helpers-794b, metrics-probe-*) appeared on Jun 18–19, consistent with scripted bulk registration. The week closed with trimprompt, trimprompt-hub, claude-cupi web3-crypto-address-utils confirmed on Jun 19. In PyPI, neuralbridge-sdk (five versions across 4.5.x–5.1.x), deepstrain, teambot-ai, hello-test-s1i aiaddin-agent were confirmed across the week.

These were not isolated anomalies. What stood out this week was the concentration of dependency confusion attacks against internal package namespaces, the sustained multi-day publishing campaigns designed to outlast takedowns, the continued targeting of Web3 and DeFi tooling (a pattern that has accelerated significantly in 2026), and a growing use of generic, noise-like package names engineered to evade detection by blending into normal dependency trees.

Ovaj tjedni pregled dio je našeg tekućeg pregleda zlonamjernog koda, gdje provjeravamo nove prijetnje i pružamo praktične informacije kako bismo pomogli DevSecOps timovima da zaštite svoje pipelineprije nego što dođe do štete. Analizirajmo što smo otkrili ovog tjedna i zašto je to važno.

ekosustav Paket potvrđen
NPMecto-corsair-whisper-6f3b9:1.0.18Lipnja 12, 2026
NPMecto-corsair-whisper-6f3b9:1.0.17Lipnja 12, 2026
NPMecto-nightly-spirit:1.1.0Lipnja 12, 2026
NPMecto-corsair-flag-x9m4:1.0.0Lipnja 12, 2026
NPMecto-rust-read-f3a9c1:1.0.2Lipnja 12, 2026
NPMecto-corsair-whisper-6f3b9:1.0.16Lipnja 12, 2026
NPMecto-rust-read-f3a9c1:1.0.1Lipnja 12, 2026
NPMecto-corsair-whisper-6f3b9:1.0.15Lipnja 12, 2026
NPMecto-corsair-whisper-6f3b9:1.0.14Lipnja 12, 2026
NPMinternallib_v984:1.0.3Lipnja 15, 2026
NPMinternallib_v984:1.0.4Lipnja 15, 2026
NPMinternallib_v984:1.0.2Lipnja 15, 2026
NPMinternallib_v557:1.0.4Lipnja 15, 2026
NPMinternallib_v557:1.0.7Lipnja 15, 2026
NPMinternallib_v557:1.0.9Lipnja 15, 2026
NPMinternallib_v557:1.0.10Lipnja 15, 2026
NPMinternallib_v557:1.0.15Lipnja 15, 2026
NPMinternallib_v557:1.0.16Lipnja 15, 2026
NPMinternallib_v557:1.0.18Lipnja 15, 2026
NPMcoral-wraith:1.0.0Lipnja 12, 2026
NPMinternallib_v557:1.0.21Lipnja 15, 2026
NPMinternallib_v557:1.0.22Lipnja 15, 2026
NPMnpm-sandbox-research-d7e8:1.0.0Lipnja 18, 2026
NPMnpm-sandbox-research-a1b2:1.0.0Lipnja 18, 2026
NPMnpm-sandbox-research-c5d6:1.0.0Lipnja 18, 2026
NPMnpm-sandbox-research-9c4e:1.0.0Lipnja 18, 2026
NPMnpm-sandbox-research-8b2f:1.0.0Lipnja 18, 2026
NPMnpm-sandbox-research-e9f0:1.0.0Lipnja 18, 2026
NPMnpm-sandbox-research-f1g2:1.0.0Lipnja 18, 2026
NPMtsc-mesh:1.0.0Lipnja 13, 2026
NPMfriendly-greeter-demo:1.0.6Lipnja 13, 2026
NPMfriendly-greeter-demo:1.0.4Lipnja 13, 2026
NPMfriendly-greeter-demo:1.0.3Lipnja 13, 2026
NPMfriendly-greeter-demo:1.0.2Lipnja 13, 2026
NPMfriendly-greeter-demo:1.0.9Lipnja 13, 2026
NPMtsc-ai:1.2.1Lipnja 13, 2026
NPMtsc-lotl:1.0.2Lipnja 13, 2026
NPMtsc-mesh:1.0.1Lipnja 13, 2026
NPMtsc-ai:1.2.0Lipnja 13, 2026
pypineuralbridge-sdk:4.5.4Lipnja 13, 2026
NPMnpm-sandbox-research-g3h4:1.0.0Lipnja 18, 2026
NPMpostinstall-logger-7x9z:1.0.0Lipnja 18, 2026
NPMhouzidawang806:1.0.0Lipnja 13, 2026
pypineuralbridge-sdk:5.0.0Lipnja 13, 2026
pypineuralbridge-sdk:4.5.5Lipnja 13, 2026
NPMhouzidawang806:1.0.1Lipnja 13, 2026
NPMhouzidawang806:1.0.2Lipnja 13, 2026
NPMhouzidawang806:1.0.3Lipnja 13, 2026
NPMhouzidawang806:1.0.4Lipnja 13, 2026
NPMhouzidawang806:1.0.5Lipnja 13, 2026
NPMhouzidawang806:1.0.6Lipnja 13, 2026
NPMhouzidawang806:1.0.7Lipnja 13, 2026
NPMhouzidawang806:1.0.9Lipnja 13, 2026
NPMhouzidawang806:1.1.0Lipnja 13, 2026
NPMhouzidawang806:1.1.1Lipnja 13, 2026
NPMhouzidawang806:1.1.2Lipnja 13, 2026
NPMhouzidawang806:1.1.3Lipnja 13, 2026
NPMhouzidawang806:1.1.4Lipnja 13, 2026
NPMhouzidawang806:1.1.5Lipnja 13, 2026
pypineuralbridge-sdk:5.1.0Lipnja 13, 2026
NPMhouzidawang807:1.1.6Lipnja 13, 2026
NPMhouzidawang806:1.1.6Lipnja 13, 2026
NPMhouzidawang808:1.0.0Lipnja 13, 2026
NPMhouzidawang806:1.1.7Lipnja 13, 2026
NPMhouzidawang806:1.1.8Lipnja 13, 2026
NPMhouzidawang806:1.2.0Lipnja 13, 2026
pypineuralbridge-sdk:5.1.1Lipnja 13, 2026
NPMhouzidawang806:1.2.1Lipnja 13, 2026
NPMhouzidawang806:1.2.3Lipnja 13, 2026
NPMhouzidawang806:1.2.4Lipnja 13, 2026
NPMhouzidawang806:1.2.5Lipnja 13, 2026
NPMhouzidawang806:1.2.6Lipnja 13, 2026
pypineuralbridge-sdk:5.1.2Lipnja 13, 2026
pypideepstrain:1.1.0Lipnja 13, 2026
NPM@jisan901/teamfocus:1.0.3Lipnja 13, 2026
NPMxy-shared:999.0.0Lipnja 14, 2026
NPMaxl-ui:9.9.99Lipnja 14, 2026
NPMloadninja-shared:9.9.99Lipnja 14, 2026
NPMnpx-whoami-demo:1.0.0Lipnja 14, 2026
NPM@jisan901/teamfocus:1.0.4Lipnja 14, 2026
NPMnano-perf:1.0.1Lipnja 14, 2026
NPMtn-advertisement:5.0.1Lipnja 14, 2026
NPMkijai:0.0.2Lipnja 15, 2026
NPMtoken-prices-cron:999.0.0Lipnja 15, 2026
NPMhemi-supply-cron:999.0.0Lipnja 15, 2026
NPMportal-backend:999.0.0Lipnja 15, 2026
NPMvault-strategies:999.0.0Lipnja 15, 2026
NPMhemi-earn-actions:999.0.0Lipnja 15, 2026
NPMvaults-monitor-cron:999.0.0Lipnja 15, 2026
NPMve-hemi-rewards:999.0.0Lipnja 15, 2026
NPMnic-datagov:1.0.0Lipnja 16, 2026
NPMogd-analytics:1.0.0Lipnja 16, 2026
NPMogd-platform:1.0.0Lipnja 16, 2026
NPMdms-backend:1.0.0Lipnja 16, 2026
NPMfriendly-greeter-demo:1.0.10Lipnja 16, 2026
NPMfriendly-greeter-demo:1.0.11Lipnja 16, 2026
NPMcardano-addresses-docs:1.0.1Lipnja 16, 2026
NPMbodega-sdk:9.9.9Lipnja 16, 2026
NPMflow-lending-sdk:9.9.9Lipnja 16, 2026
NPMflow-lending:9.9.9Lipnja 16, 2026
NPMsurf-lending:9.9.9Lipnja 16, 2026
NPMjanus-ft:1.0.0Lipnja 16, 2026
NPMjanus-flow:1.0.0Lipnja 16, 2026
NPMjanus-erc20:1.0.0Lipnja 16, 2026
NPMflowcardano:9.9.9Lipnja 16, 2026
NPMflowdefi:9.9.9Lipnja 16, 2026
pypihello-test-s1:0.3.1Lipnja 16, 2026
NPMpkg-telemetry-r4f9:1.0.0Lipnja 18, 2026
NPMmailconfirmer:3.3.46Lipnja 16, 2026
NPMcarousel-controller-mixin:999.0.0Lipnja 16, 2026
NPMruntime-metrics-w7k2:1.0.0Lipnja 18, 2026
NPMmailconfirmer:3.3.48Lipnja 16, 2026
NPMbuild-tracker-n5p1:1.0.0Lipnja 16, 2026
NPMnpm-sandbox-ping-r9t2:1.0.0Lipnja 18, 2026
NPMevent-metrics-q3x7:1.0.2Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.1Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.0Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.3Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.4Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.5Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.6Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.7Lipnja 16, 2026
NPMevent-metrics-q3x7:1.0.8Lipnja 16, 2026
NPMmetrics-pipeline-d8k2:1.0.0Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.1Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.2Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.3Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.4Lipnja 18, 2026
pypiteambot-ai:1.48.0Lipnja 17, 2026
NPMmetrics-pipeline-d8k2:1.0.5Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.6Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.7Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.8Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.9Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.10Lipnja 18, 2026
NPMfriendly-greeter-demo:1.0.13Lipnja 17, 2026
NPMfriendly-greeter-demo:1.0.14Lipnja 17, 2026
NPMmetrics-pipeline-d8k2:1.0.11Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.12Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.13Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.14Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.15Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.16Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.17Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.18Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.19Lipnja 18, 2026
NPMmetrics-pipeline-d8k2:1.0.20Lipnja 18, 2026
NPMcryptodao-contracts:99.99.99Lipnja 17, 2026
NPMcryptodao-types:99.99.99Lipnja 17, 2026
NPMcryptodao-config:99.99.99Lipnja 17, 2026
NPMcryptodao-utils:99.99.99Lipnja 17, 2026
NPMcryptodao-backend:99.99.99Lipnja 17, 2026
NPMcryptodao-sdk:99.99.99Lipnja 17, 2026
NPMcryptodao-core:99.99.99Lipnja 17, 2026
NPMcryptodao-bot:99.99.99Lipnja 17, 2026
NPMcryptodao-signer:99.99.99Lipnja 17, 2026
NPMcryptodao-deploy:99.99.99Lipnja 17, 2026
NPMmetrics-probe-64b2:1.0.0Lipnja 18, 2026
NPMmetrics-probe-dc85:1.0.0Lipnja 18, 2026
NPMmetrics-probe-77d4:1.0.0Lipnja 18, 2026
NPM@public-for-cdao/core:99.99.99Lipnja 17, 2026
NPMmetrics-probe-88ad:1.0.0Lipnja 18, 2026
NPMwrspati:0.1.0Lipnja 18, 2026
NPMebpf-tracker-action:1.0.1Lipnja 18, 2026
NPM@azure-lab-services/ml-ts:99.0.0Lipnja 18, 2026
NPMlab-services:99.0.0Lipnja 18, 2026
NPMscan-only:0.4.5Lipnja 18, 2026
NPMscan-only:0.4.6Lipnja 18, 2026
NPMscan-only:0.4.7Lipnja 18, 2026
NPMscan-only:0.4.8Lipnja 18, 2026
NPM@muaththir/api:2.0.0Lipnja 18, 2026
NPMbackoffice-charges-module:2.999.1Lipnja 18, 2026
NPMbackoffice-charges-module:2.999.0Lipnja 18, 2026
NPMscan-only:0.4.9Lipnja 18, 2026
NPMscan-only:0.5.0Lipnja 18, 2026
NPMscan-only:0.5.1Lipnja 18, 2026
NPMscan-only:1.0.0Lipnja 18, 2026
NPMnano-perf:2.0.0Lipnja 18, 2026
NPMnano-perf:2.0.1Lipnja 18, 2026
NPMnano-perf:2.1.0Lipnja 18, 2026
NPMnano-perf:2.2.0Lipnja 18, 2026
NPMmetrics-probe-f256:1.0.0Lipnja 18, 2026
NPMcolor-utils-dee0:1.0.0Lipnja 18, 2026
NPMdata-utils-d703:1.0.0Lipnja 18, 2026
NPMstring-tools-be6c:1.0.0Lipnja 18, 2026
NPMtype-check-816d:1.0.0Lipnja 18, 2026
NPMfmt-helpers-794b:1.0.0Lipnja 18, 2026
NPMdatacamp-light:1.0.0Lipnja 18, 2026
NPMdata-utils-bcf2:1.0.0Lipnja 19, 2026
NPMstream-read-35cf:1.0.0Lipnja 19, 2026
NPMdelta-time-32bb:1.0.0Lipnja 19, 2026
NPMsafe-json-38bd:1.0.0Lipnja 19, 2026
NPMhex-conv-ae7a:1.0.0Lipnja 19, 2026
NPMbuffer-wrap-67d7:1.0.0Lipnja 19, 2026
NPMtrimprompt:1.0.2Lipnja 19, 2026
NPMtrimprompt:1.0.4Lipnja 19, 2026
NPMtrimprompt-hub:1.0.1Lipnja 19, 2026
NPMclaude-cup:0.8.6Lipnja 19, 2026
pypiaiaddin-agent:0.1.0Lipnja 19, 2026
NPMweb3-crypto-address-utils:0.1.0Lipnja 19, 2026

Don’t Let Coordinated Campaigns Reach Your Pipelines

This week’s digest was not about a single threat;  it was about scale. Over 200 confirmed packages, sustained version flooding across multiple days, and scripted bulk registration campaigns running faster than manual reviews can track. The attackers are not waiting for you to catch up.

Xygeni rano otkrivanje zlonamjernog softvera monitors npm, PyPI, and other registries continuously, flagging threats at the moment of publication, not after they’ve landed in a build. When a campaign publishes 21 versions of the same malicious package across four days, a weekly scan catches nothing in time.

Xygenijev Open Source Security Rješenje vašim DevSecOps timovima daje vidljivost i prioritizaciju u stvarnom vremenu koja im je potrebna kako bi ostali ispred upravo ovakvog koordiniranog pritiska, tako da vaš pipelineostanite čisti bez usporavanja svojih timova.

alati-za-analizu-sastava-softvera-sca-tools
Prioritizirajte, sanirajte i osigurajte softverske rizike
Nabavite svoj besplatni račun.
Nije potrebna kreditna kartica.

Osigurajte svoj razvoj i isporuku softvera

s Xygeni paketom proizvoda