тавтай морилно уу June edition of the Xygeni Malicious Code Digest. This month, our security research team confirmed more than 645 хортой багц across npm, PyPI, and (for the first time) the VSCode extension marketplace.
June was defined by three converging trends: sustained version-flooding campaigns designed to outlast blocklists, a sharp acceleration in attacks targeting AI tooling and agentic development workflows, and coordinated dependency confusion attacks against internal monorepo namespaces.
Among the most notable campaigns documented this month:
- мэдрэг чанар flooded npm with over 70 versions across the 2.5.x range, a sustained evasion campaign republishing continuously to stay ahead of takedowns.
- A two-wave Solana typosquat campaign (June 7–8) published 15 packages impersonating
@solana-labsecosystem tooling, targeting Web3 and DeFi developers directly. - houzidawang806 accounted for over 25 versions in a single day (June 13), joined by хэмжүүрүүд-pipeline-d8k2 republished across 21 versions between June 15–18.
- The CryptoDAO Confusion campaign (June 17) published 11 packages at version 99.99.99, each carrying an identical postinstall payload sweeping CI/CD tokens, cloud credentials, and crypto wallet secrets.
- The week of June 20–26 brought the most concentrated AI tooling targeting of the month: оллама-туслагчид (20 versions), openai-agents-helpers (23 versions), monoclaude, ai-sdk-туслагчБолон @langgraphjs/toolkit, all confirmed in a single week, directly targeting Ollama, OpenAI agents SDK, LangGraph, and Claude API integrations.
- Two confirmed malicious VSCode extensions appeared this month, signaling that attackers are expanding beyond package registries into the developer environment itself.
The defining pattern of June: attacks are moving into IDE extensions, AI agent tooling, and agentic workflows where a malicious package installed autonomously has no human reviewer between infection and execution.
This monthly update is part of Xygeni’s ongoing malware and supply chain threat research initiative. For full context across every malicious package confirmed this month, explore the complete June Malicious Code Digest and related research from the Xygeni Security Team.
4 дэх долоо хоног: 201 гаруй багц илэрсэн
| Экосистем | Багц | огноо |
|---|---|---|
| June 20, 2026 | ||
| npm | панроутер: 5.0.2 + 30 versions across 5.x–6.x range through Jun 22 — dominant campaign of the week | Jun 20, 2026 |
| npm | trimprompt:1.0.5 + 4 versions — continuation from previous week, still active | Jun 20, 2026 |
| npm | моноклауд:1.0.1 + 2 versions — Claude API tooling impersonation | Jun 20, 2026 |
| vscode | жижиг хэлэлцүүлэгт зориулсан тойрог замын агентын хос програмчлал: 1.206.0 + 1 version — malicious VSCode extension targeting agentic development | Jun 20, 2026 |
| npm | хялбаршуулсан-гейтсби:1.0.1 Smart home platform namespace impersonation | Jun 20, 2026 |
| June 21, 2026 | ||
| npm | atlasora-shared:1.0.0 + 6 packages — coordinated monorepo dependency confusion: atlasora-api, -client, -sdk, -types, -utils, -config | Jun 21, 2026 |
| npm | apintergrationpost:4.0.2 + 6 versions — deliberate misspelling campaign targeting integration tooling | Jun 21, 2026 |
| npm | llm-ул мөрүүд-апп:1.0.1 LLM observability tooling targeted | Jun 21, 2026 |
| pypi | d0rk3r-телеметр:1.0.0 Obfuscated telemetry package in PyPI | Jun 21, 2026 |
| June 22, 2026 | ||
| pypi | tm-ai:2.91.75 + 7 versions — sustained PyPI version flooding campaign | Jun 22, 2026 |
| pypi | хүсэлт-кэш-py:1.0.4 + 6 versions — PyPI version flooding | Jun 22, 2026 |
| pypi | корвинос:0.17.0 + 6 versions — PyPI bulk registration campaign | Jun 22, 2026 |
| June 23, 2026 | ||
| npm | web3-токен-туслагч:1.1.1 + 2 versions — Web3 token utility targeting | Jun 23, 2026 |
| npm | монокросс: 1.0.1 + 1 version — mono-* naming cluster alongside monoclaude and monotacos | Jun 23, 2026 |
| June 24, 2026 | ||
| npm | оллама-туслагчид:0.1.0 + 19 versions — largest AI tooling campaign of the month, targeting Ollama local AI runtime | Jun 24, 2026 |
| npm | openai-agents-helpers:0.1.1 + 22 versions — coordinated campaign targeting OpenAI agents SDK ecosystem | Jun 24, 2026 |
| June 25, 2026 | ||
| npm | ai-sdk-туслагч:1.4.3 AI SDK tooling targeted alongside @langgraphjs/toolkit:1.2.11 | Jun 25, 2026 |
| npm | бүртгүүлэх-оруулагч:99.99.99-poc3 + hs-locale-management — HubSpot internal namespace dependency confusion, poc suffix confirms active research campaign | Jun 25, 2026 |
| June 26, 2026 | ||
| npm | хялбар мөрний хэрэгсэл: 1.0.1 + 8 versions including variant easy-string-kit232 — bulk registration under generic utility name | Jun 26, 2026 |
| npm | аюултай-хортой-багц: 1.0.0 + 5 versions — package explicitly named as malicious, confirmed payload, likely test or provocation campaign | Jun 26, 2026 |
| npm | @vpms/дизайн систем:1.1.2 + 2 versions — design system namespace impersonation | Jun 26, 2026 |
3 дэх долоо хоног: 200 гаруй багц илэрсэн
| Экосистем | Багц | огноо |
|---|---|---|
| June 13, 2026 | ||
| npm | houzidawang806:1.0.0 + 25 versions across 1.0.x–1.2.x including siblings houzidawang807 and houzidawang808 — dominant campaign of the week | Jun 13, 2026 |
| npm | нөхөрсөг мэндчилгээний демо: 1.0.2 + 4 versions — persistent campaign reappearing across multiple days | Jun 13, 2026 |
| npm | tsc-ai:1.2.0 tsc-* cluster: tsc-ai, tsc-mesh, tsc-lotl — CI tooling namespace impersonation | Jun 13, 2026 |
| pypi | neuralbridge-sdk:4.5.4 + 6 versions across 4.5.x–5.1.x — sustained multi-day PyPI campaign | Jun 13, 2026 |
| June 15, 2026 | ||
| npm | токен-үнэ-cron:999.0.0 + 6 packages — DeFi infrastructure dependency confusion cluster targeting internal cron and vault tooling | Jun 15, 2026 |
| June 16, 2026 | ||
| npm | bodega-sdk:9.9.9 + 8 packages — DeFi lending and Cardano ecosystem cluster: flow-lending, surf-lending, janus-*, flowcardano, flowdefi | Jun 16, 2026 |
| npm | үйл явдлын хэмжүүр-q3x7:1.0.0 + 8 versions — generic hex-suffix package registering bulk monitoring-themed names | Jun 16, 2026 |
| npm | nic-datagov:1.0.0 + 3 packages — government data platform namespace impersonation: ogd-analytics, ogd-platform, dms-backend | Jun 16, 2026 |
| June 17, 2026 | ||
| npm | криптодао-гэрээ: 99.99.99 + 10 packages — CryptoDAO dependency confusion: core, sdk, bot, config, utils, deploy, signer, backend, types | Jun 17, 2026 |
| pypi | teambot-ai:1.48.0 AI agent tooling targeted in PyPI | Jun 17, 2026 |
| June 18, 2026 | ||
| npm | хэмжүүрүүд-pipeline-d8k2:1.0.0 + 20 versions across Jun 18 — sustained single-day evasion campaign, republishing continuously to outlast blocklists | Jun 18, 2026 |
| npm | зөвхөн скан хийх боломжтой: 0.4.5 + 6 versions — version flooding campaign | Jun 18, 2026 |
| npm | өнгөний хэрэглээний загвар0:1.0.0 + 5 generic hex-suffix packages: data-utils, string-tools, type-check, fmt-helpers, metrics-probe — scripted bulk registration | Jun 18, 2026 |
| npm | @azure-лабораторийн үйлчилгээ/мл-ц:99.0.0 Azure ML namespace impersonation | Jun 18, 2026 |
| June 19, 2026 | ||
| npm | trimprompt:1.0.2 + trimprompt-hub — prompt engineering tooling targeted | Jun 19, 2026 |
| npm | Клод-кап:0.8.6 Claude API tooling impersonation | Jun 19, 2026 |
| pypi | aiaddin-agent:0.1.0 AI agent tooling targeted in PyPI | Jun 19, 2026 |
| npm | web3-крипто-хаяг-хэрэгсэл:0.1.0 Web3 utility targeting | Jun 19, 2026 |
2 дэх долоо хоног: 135 гаруй багц илэрсэн
| Экосистем | Багц | огноо |
|---|---|---|
| June 7, 2026 | ||
| npm | @solana-labs/web3.js:1.0.0 + 5 variants — Solana ecosystem typosquat campaign, first wave | Jun 7, 2026 |
| npm | @jisan901/teamfocus:1.0.0 + 2 versions | Jun 7, 2026 |
| npm | @sflyinc-knapsack/shutterfly-react:999.0.0 Dependency confusion, inflated version | Jun 7, 2026 |
| June 8, 2026 | ||
| npm | @solana-labs/web3.js:1.98.102 + 9 variants — Solana ecosystem typosquat campaign, second wave | Jun 8, 2026 |
| pypi | helixagentai:0.1.3 AI agent tooling targeted in PyPI | Jun 8, 2026 |
| June 9, 2026 | ||
| npm | @nstrlabs/sdk:99.0.0 + 7 packages — dependency confusion against internal monorepo namespace | Jun 9, 2026 |
| npm | @klapp-login-платформ/төрөлх-sdk:99.0.0 + 9 packages — authentication platform impersonation across multiple klapp namespaces | Jun 9, 2026 |
| npm | блокчэйн-туслагч-0:1.0.0 + 7 packages — crypto/DeFi utility cluster targeting Web3 developers | Jun 9, 2026 |
| npm | @card-pci-data/store:99.0.0 Payment card data namespace targeted | Jun 9, 2026 |
| June 10, 2026 | ||
| npm | morningstar-design-system:99.0.0 + 2 versions — financial design system impersonation | Jun 10, 2026 |
| June 11, 2026 | ||
| npm | pocteszep:1.0.1 + 5 versions published same day | Jun 11, 2026 |
| npm | @coze-common/chat-area:99.1.1 AI chat platform namespace impersonation | Jun 11, 2026 |
| pypi | телеграмлайт:1.0.0 + 1 version — messaging platform impersonation in PyPI | Jun 11, 2026 |
| June 12, 2026 | ||
| npm | ecto-corsair-whisper-6f3b9:1.0.18 + 7 ecto-* variants — obfuscated name cluster | Jun 12, 2026 |
| npm | internallib_v984:1.0.3 + internallib_v557 cluster — 13 versions of internal library impostors | Jun 12, 2026 |
| npm | voyager-web:999.0.0 Dependency confusion, inflated version | Jun 12, 2026 |
| pypi | cdjeez:0.32.0 | Jun 12, 2026 |
1 дэх долоо хоног: 118 гаруй багц илэрсэн
| Экосистем | Багц | огноо |
|---|---|---|
| 30 болтугай 2026 | ||
| npm | @cloudplatform-single-spa/administration:99.99.100 Dependency confusion, inflated version | 30 болтугай 2026 |
| vscode | xampp-менежер: 5.1.3 VSCode extension — developer tool impersonation | 30 болтугай 2026 |
| June 1, 2026 | ||
| npm | @tse-digital/core:99.0.0 Dependency confusion — @telenor-se and @ownit also hit | Jun 1, 2026 |
| npm | cms-storehub:1.3.4 + 2 versions, CMS namespace cluster | Jun 1, 2026 |
| npm | @antoncallahan/aws-user-helper:6767.67.69 + 6 versions, inflated version numbers targeting AWS credentials | Jun 1, 2026 |
| npm | өвчтөний баримт бичиг: 75.0.0 Healthcare namespace target | Jun 1, 2026 |
| npm | @emcd-vue/auth:6.4.9 Crypto exchange namespace impersonation | Jun 1, 2026 |
| pypi | simtooreal-cli:0.3.0 | Jun 1, 2026 |
| June 2, 2026 | ||
| npm | мэдрэг чанар: 2.5.8 + 70 versions across 2.5.x range, Jun 2–5 — dominant campaign of the period | Jun 2, 2026 |
| npm | @langgraphjs/toolkit:1.2.10 LangGraph tooling targeted | Jun 2, 2026 |
| June 4, 2026 | ||
| npm | @sentry-browser-sdk/profiling-node:1.0.1 + 2 versions, Sentry namespace impersonation | Jun 4, 2026 |
| npm | internallib_v346:1.0.3 + 2 versions, internal library impostor | Jun 4, 2026 |
| npm | ai-sdk-туслагч:0.2.1 + 7 versions, targeting AI SDK tooling | Jun 4, 2026 |
Stop Malicious Code Before It Reaches Your Pipeline
Software supply chain threats have moved well past theoretical. Dependency confusion attacks, credential stealers, AI-targeted malware, and poisoned developer tooling are hitting real teams in real SDLCs every week.
Xygeni's хортой програм илрүүлэх болон supply chain security platform gives organizations the visibility to catch malicious dependencies before they execute on a developer machine, enter a build system, or reach production. Coverage spans npm, PyPI, VSCode, and beyond, monitoring for suspicious publishing patterns, namespace abuse, typosquatting, and AI-native attack techniques as they emerge.
Every finding is automatically prioritized by exploitability, reachability, and business impact, so your team focuses on what actually needs fixing, not noise.
Whether it’s a malicious open-source package, a compromised developer tool, or an AI-generated code risk, Xygeni keeps security and engineering teams one step ahead of the supply chain threat landscape.
Explore every malicious package and campaign validated by the Xygeni Security Team in the Хортой кодын дайжест.
Аюулгүй байгаарай. Хурдан байгаарай. Xygeni-тэй хамт хяналтаа хадгалаарай.




