Diġest ta' Kodiċi Malizzjuż 75

Diġest tal-Kodiċi Malizzjuż Xygeni 75

Kull ġimgħa, is-sistemi tagħna ta' skoperta ta' malware jiskennjaw eluf ta' pakketti ġodda u aġġornati f'reġistri pubbliċi bħal npm u PyPI. Din il-ġimgħa ma kinitx eċċezzjoni.

We confirmed over 200 malicious packages between June 12t and June 19th, 2026, predominantly across npm, with additional cases in PyPI. Several appeared in coordinated clusters, repeated malicious releases published under the same names or across closely related package families.

Il-każ li spikka din il-ġimgħa kien sensivity, li għarraq lil npm b'aktar minn 70 rilaxx verżjonit madwar il-medda 2.5.x, ikkonfermati fuq diversi jiem. Raggruppamenti notevoli oħra inkludew mewġa ta' @solana-labs typosquats targeting the Solana ecosystem (web3.js, web3-js, etherjs, spl-toke, ancor, web3js — across two separate publishing campaigns on Jun 7 and Jun 8), the @nstrlabs familja (sdk, ixel, utils, shared-components, api-client, auth — dependency confusion attack against an internal package namespace), the @klapp-login-platform grupp (native-sdk, oidc, routes — impersonating an authentication platform), internallib_v557 u, internallib_v984 (verżjonijiet multipli ta' imposturi tal-librerija interna mgħottija), pocteszep (6 verżjonijiet ippubblikati fil-11 ta' Ġunju), u grupp ta' utilitajiet tal-kripto u tal-Web3 inklużi blockchain-helper-0, ethereum-kit-1, ethereum-kit-9, crypto-utils-7, wallet-sdk-9, defi-tools-39, swap-sdk-87, u farming-tools-12. il morningstar-design-system package appeared in three versions on Jun 10, impersonating a well-known financial design system.

From Jun 13 onward, the pace accelerated. The houzidawang806 cluster alone accounted for over 25 versions published in a single day, joined by siblings houzidawang807 u, houzidawang808. il metrics-pipeline-d8k2 package was republished continuously across 21 versions between Jun 15 and Jun 18 — a sustained evasion campaign designed to stay ahead of blocklists. The friendly-greeter-demo package kept reappearing across versions throughout the week. New dependency confusion attempts surfaced under xy-shared, axl-ui, loadninja-shared, carousel-controller-mixin, token-prices-cron, hemi-supply-cron, portal-backend, vault-strategies, and several others — all carrying inflated version numbers in the 999.x range. A fresh cluster of generic utility names with random hex suffixes (color-utils-dee0, data-utils-d703, string-tools-be6c, type-check-816d, fmt-helpers-794b, metrics-probe-*) appeared on Jun 18–19, consistent with scripted bulk registration. The week closed with trimprompt, trimprompt-hub, claude-cup, u web3-crypto-address-utils confirmed on Jun 19. In PyPI, neuralbridge-sdk (five versions across 4.5.x–5.1.x), deepstrain, teambot-ai, hello-test-s1, u aiaddin-agent ġew ikkonfermati matul il-ġimgħa.

These were not isolated anomalies. What stood out this week was the concentration of dependency confusion attacks against internal package namespaces, the sustained multi-day publishing campaigns designed to outlast takedowns, the continued targeting of Web3 and DeFi tooling (a pattern that has accelerated significantly in 2026), and a growing use of generic, noise-like package names engineered to evade detection by blending into normal dependency trees.

Din l-istampa ta' kull ġimgħa hija parti mid-Digest tal-Kodiċi Malizzjuż li għaddej bħalissa, fejn nivvalidaw theddid ġdid u nipprovdu intelliġenza azzjonabbli biex ngħinu lit-timijiet tad-DevSecOps jipproteġu tagħhom. pipelineqabel ma sseħħ il-ħsara. Ejja nanalizzaw x'sibna din il-ġimgħa u għaliex huwa importanti.

Ekosistema Pakkett Ikkonfermat
npmecto-corsair-whisper-6f3b9:1.0.18Ġunju 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.17Ġunju 12, 2026
npmecto-nightly-spirit:1.1.0Ġunju 12, 2026
npmecto-corsair-bandiera-x9m4:1.0.0Ġunju 12, 2026
npmecto-rust-read-f3a9c1:1.0.2Ġunju 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.16Ġunju 12, 2026
npmecto-rust-read-f3a9c1:1.0.1Ġunju 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.15Ġunju 12, 2026
npmecto-corsair-whisper-6f3b9:1.0.14Ġunju 12, 2026
npminternallib_v984:1.0.3Ġunju 15, 2026
npminternallib_v984:1.0.4Ġunju 15, 2026
npminternallib_v984:1.0.2Ġunju 15, 2026
npminternallib_v557:1.0.4Ġunju 15, 2026
npminternallib_v557:1.0.7Ġunju 15, 2026
npminternallib_v557:1.0.9Ġunju 15, 2026
npminternallib_v557:1.0.10Ġunju 15, 2026
npminternallib_v557:1.0.15Ġunju 15, 2026
npminternallib_v557:1.0.16Ġunju 15, 2026
npminternallib_v557:1.0.18Ġunju 15, 2026
npmqroll-wraith:1.0.0Ġunju 12, 2026
npminternallib_v557:1.0.21Ġunju 15, 2026
npminternallib_v557:1.0.22Ġunju 15, 2026
npmnpm-sandbox-research-d7e8:1.0.0Ġunju 18, 2026
npmnpm-sandbox-research-a1b2:1.0.0Ġunju 18, 2026
npmnpm-sandbox-research-c5d6:1.0.0Ġunju 18, 2026
npmnpm-sandbox-research-9c4e:1.0.0Ġunju 18, 2026
npmnpm-sandbox-research-8b2f:1.0.0Ġunju 18, 2026
npmnpm-sandbox-research-e9f0:1.0.0Ġunju 18, 2026
npmnpm-sandbox-research-f1g2:1.0.0Ġunju 18, 2026
npmtsc-mesh:1.0.0Ġunju 13, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.6Ġunju 13, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.4Ġunju 13, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.3Ġunju 13, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.2Ġunju 13, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.9Ġunju 13, 2026
npmtsc-ai:1.2.1Ġunju 13, 2026
npmtsc-lotl:1.0.2Ġunju 13, 2026
npmtsc-mesh:1.0.1Ġunju 13, 2026
npmtsc-ai:1.2.0Ġunju 13, 2026
pypineuralbridge-sdk:4.5.4Ġunju 13, 2026
npmnpm-sandbox-research-g3h4:1.0.0Ġunju 18, 2026
npmpostinstall-logger-7x9z:1.0.0Ġunju 18, 2026
npmhouzidawang806:1.0.0Ġunju 13, 2026
pypineuralbridge-sdk:5.0.0Ġunju 13, 2026
pypineuralbridge-sdk:4.5.5Ġunju 13, 2026
npmhouzidawang806:1.0.1Ġunju 13, 2026
npmhouzidawang806:1.0.2Ġunju 13, 2026
npmhouzidawang806:1.0.3Ġunju 13, 2026
npmhouzidawang806:1.0.4Ġunju 13, 2026
npmhouzidawang806:1.0.5Ġunju 13, 2026
npmhouzidawang806:1.0.6Ġunju 13, 2026
npmhouzidawang806:1.0.7Ġunju 13, 2026
npmhouzidawang806:1.0.9Ġunju 13, 2026
npmhouzidawang806:1.1.0Ġunju 13, 2026
npmhouzidawang806:1.1.1Ġunju 13, 2026
npmhouzidawang806:1.1.2Ġunju 13, 2026
npmhouzidawang806:1.1.3Ġunju 13, 2026
npmhouzidawang806:1.1.4Ġunju 13, 2026
npmhouzidawang806:1.1.5Ġunju 13, 2026
pypineuralbridge-sdk:5.1.0Ġunju 13, 2026
npmhouzidawang807:1.1.6Ġunju 13, 2026
npmhouzidawang806:1.1.6Ġunju 13, 2026
npmhouzidawang808:1.0.0Ġunju 13, 2026
npmhouzidawang806:1.1.7Ġunju 13, 2026
npmhouzidawang806:1.1.8Ġunju 13, 2026
npmhouzidawang806:1.2.0Ġunju 13, 2026
pypineuralbridge-sdk:5.1.1Ġunju 13, 2026
npmhouzidawang806:1.2.1Ġunju 13, 2026
npmhouzidawang806:1.2.3Ġunju 13, 2026
npmhouzidawang806:1.2.4Ġunju 13, 2026
npmhouzidawang806:1.2.5Ġunju 13, 2026
npmhouzidawang806:1.2.6Ġunju 13, 2026
pypineuralbridge-sdk:5.1.2Ġunju 13, 2026
pypideepstrain:1.1.0Ġunju 13, 2026
npm@jisan901/teamfocus:1.0.3Ġunju 13, 2026
npmxy-shared:999.0.0Ġunju 14, 2026
npmaxl-ui:9.9.99Ġunju 14, 2026
npmloadninja-shared:9.9.99Ġunju 14, 2026
npmnpx-whoami-demo:1.0.0Ġunju 14, 2026
npm@jisan901/teamfocus:1.0.4Ġunju 14, 2026
npmnano-perf:1.0.1Ġunju 14, 2026
npmtn-advertisement:5.0.1Ġunju 14, 2026
npmkijai:0.0.2Ġunju 15, 2026
npmprezzijiet tat-tokens-cron:999.0.0Ġunju 15, 2026
npmhemi-supply-cron:999.0.0Ġunju 15, 2026
npmportal-backend:999.0.0Ġunju 15, 2026
npmvault-strategies:999.0.0Ġunju 15, 2026
npmhemi-earn-actions:999.0.0Ġunju 15, 2026
npmvaults-monitor-cron:999.0.0Ġunju 15, 2026
npmve-hemi-rewards:999.0.0Ġunju 15, 2026
npmnic-datagov:1.0.0Ġunju 16, 2026
npmogd-analytics:1.0.0Ġunju 16, 2026
npmogd-platform:1.0.0Ġunju 16, 2026
npmdms-backend:1.0.0Ġunju 16, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.10Ġunju 16, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.11Ġunju 16, 2026
npmcardano-addresses-docs:1.0.1Ġunju 16, 2026
npmbodega-sdk:9.9.9Ġunju 16, 2026
npmflow-lending-sdk:9.9.9Ġunju 16, 2026
npmflow-lending:9.9.9Ġunju 16, 2026
npmsurf-lending:9.9.9Ġunju 16, 2026
npmjanus-ft:1.0.0Ġunju 16, 2026
npmjanus-flow:1.0.0Ġunju 16, 2026
npmjanus-erc20:1.0.0Ġunju 16, 2026
npmflowcardano:9.9.9Ġunju 16, 2026
npmflowdefi:9.9.9Ġunju 16, 2026
pypihello-test-s1:0.3.1Ġunju 16, 2026
npmpkg-telemetry-r4f9:1.0.0Ġunju 18, 2026
npmmailconfirmer:3.3.46Ġunju 16, 2026
npmcarousel-controller-mixin:999.0.0Ġunju 16, 2026
npmruntime-metrics-w7k2:1.0.0Ġunju 18, 2026
npmmailconfirmer:3.3.48Ġunju 16, 2026
npmbuild-tracker-n5p1:1.0.0Ġunju 16, 2026
npmnpm-sandbox-ping-r9t2:1.0.0Ġunju 18, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.2Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.1Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.0Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.3Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.4Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.5Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.6Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.7Ġunju 16, 2026
npmmetriċi tal-avvenimenti-q3x7:1.0.8Ġunju 16, 2026
npmmetriċi-pipeline-d8k2:1.0.0Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.1Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.2Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.3Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.4Ġunju 18, 2026
pypiteambot-ai:1.48.0Ġunju 17, 2026
npmmetriċi-pipeline-d8k2:1.0.5Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.6Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.7Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.8Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.9Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.10Ġunju 18, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.13Ġunju 17, 2026
npmdemo ta' min jilqa' b'mod amikevoli:1.0.14Ġunju 17, 2026
npmmetriċi-pipeline-d8k2:1.0.11Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.12Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.13Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.14Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.15Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.16Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.17Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.18Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.19Ġunju 18, 2026
npmmetriċi-pipeline-d8k2:1.0.20Ġunju 18, 2026
npmkuntratti cryptodao:99.99.99Ġunju 17, 2026
npmcryptodao-types:99.99.99Ġunju 17, 2026
npmcryptodao-config:99.99.99Ġunju 17, 2026
npmcryptodao-utils:99.99.99Ġunju 17, 2026
npmcryptodao-backend:99.99.99Ġunju 17, 2026
npmcryptodao-sdk:99.99.99Ġunju 17, 2026
npmcryptodao-core:99.99.99Ġunju 17, 2026
npmcryptodao-bot:99.99.99Ġunju 17, 2026
npmcryptodao-signer:99.99.99Ġunju 17, 2026
npmcryptodao-deploy:99.99.99Ġunju 17, 2026
npmmetrics-probe-64b2:1.0.0Ġunju 18, 2026
npmmetrics-probe-dc85:1.0.0Ġunju 18, 2026
npmmetrics-probe-77d4:1.0.0Ġunju 18, 2026
npm@public-for-cdao/core:99.99.99Ġunju 17, 2026
npmmetrics-probe-88ad:1.0.0Ġunju 18, 2026
npmwrspati:0.1.0Ġunju 18, 2026
npmebpf-tracker-action:1.0.1Ġunju 18, 2026
npm@azure-lab-services/ml-ts:99.0.0Ġunju 18, 2026
npmlab-services:99.0.0Ġunju 18, 2026
npmskennjar biss:0.4.5Ġunju 18, 2026
npmskennjar biss:0.4.6Ġunju 18, 2026
npmskennjar biss:0.4.7Ġunju 18, 2026
npmskennjar biss:0.4.8Ġunju 18, 2026
npm@muaththir/api:2.0.0Ġunju 18, 2026
npmbackoffice-charges-module:2.999.1Ġunju 18, 2026
npmbackoffice-charges-module:2.999.0Ġunju 18, 2026
npmskennjar biss:0.4.9Ġunju 18, 2026
npmskennjar biss:0.5.0Ġunju 18, 2026
npmskennjar biss:0.5.1Ġunju 18, 2026
npmskennjar biss:1.0.0Ġunju 18, 2026
npmnano-perf:2.0.0Ġunju 18, 2026
npmnano-perf:2.0.1Ġunju 18, 2026
npmnano-perf:2.1.0Ġunju 18, 2026
npmnano-perf:2.2.0Ġunju 18, 2026
npmmetrics-probe-f256:1.0.0Ġunju 18, 2026
npmcolor-utils-dee0:1.0.0Ġunju 18, 2026
npmdata-utils-d703:1.0.0Ġunju 18, 2026
npmstring-tools-be6c:1.0.0Ġunju 18, 2026
npmtype-check-816d:1.0.0Ġunju 18, 2026
npmfmt-helpers-794b:1.0.0Ġunju 18, 2026
npmdatacamp-light:1.0.0Ġunju 18, 2026
npmdata-utils-bcf2:1.0.0Ġunju 19, 2026
npmstream-read-35cf:1.0.0Ġunju 19, 2026
npmdelta-time-32bb:1.0.0Ġunju 19, 2026
npmsafe-json-38bd:1.0.0Ġunju 19, 2026
npmhex-conv-ae7a:1.0.0Ġunju 19, 2026
npmbuffer-wrap-67d7:1.0.0Ġunju 19, 2026
npmtrimpprompt:1.0.2Ġunju 19, 2026
npmtrimpprompt:1.0.4Ġunju 19, 2026
npmtrimprompt-hub:1.0.1Ġunju 19, 2026
npmtazza claude: 0.8.6Ġunju 19, 2026
pypiaiaddin-aġent:0.1.0Ġunju 19, 2026
npmweb3-crypto-address-utils:0.1.0Ġunju 19, 2026

Don’t Let Coordinated Campaigns Reach Your Pipelines

This week’s digest was not about a single threat;  it was about scale. Over 200 confirmed packages, sustained version flooding across multiple days, and scripted bulk registration campaigns running faster than manual reviews can track. The attackers are not waiting for you to catch up.

Sejbien Bikri ta' Malware minn Xygeni monitors npm, PyPI, and other registries continuously, flagging threats at the moment of publication, not after they’ve landed in a build. When a campaign publishes 21 versions of the same malicious package across four days, a weekly scan catches nothing in time.

Xygeni's Open Source Security Is-soluzzjoni tagħti lit-timijiet DevSecOps tiegħek il-viżibilità u l-prijoritizzazzjoni f'ħin reali li jeħtieġu biex jibqgħu pass 'il quddiem eżatt minn dan it-tip ta' pressjoni kkoordinata, sabiex tiegħek pipelineTibqa' nadifa mingħajr ma tnaqqas ir-ritmu tat-timijiet tiegħek.

sca-tools-software-composition-analysis-tools
Prijoritizza, irranġa, u assigura r-riskji tas-softwer tiegħek
Ikseb il-Kont B'Xejn tiegħek.
Mhix meħtieġa karta ta 'kreditu.

Assigura l-Iżvilupp u l-Kunsinna tas-Softwer tiegħek

bis-Suite tal-Prodotti Xygeni