Qaybta 73aad ee Xeerka Xunxun

Xygeni Xygeni Xeeladda Xeerka Xasaasiyadda 73

Almost every week, our malware detection systems scan thousands of new and updated packages across public registries like npm and PyPI. This week was very active.

We confirmed 198 xirmooyin xaasidnimo ah, primarily across npm, with additional cases in PyPI, OpenVSX, Composer, and VS Code extensions. Several appeared in coordinated clusters, with repeated malicious releases published under the same names or across closely related package families. A standout case was the sensivity package, which flooded npm with over 60 versioned releases across the 2.5.x range. Other notable clusters included ai-sdk-helpers (8 versions targeting AI developers), @antoncallahan/aws-user-helper (7 versions impersonating an AWS utility), @apple-pay-trust iyo @google-pay-trust families (mimicking payment checkout modules), @frengki0707/google-cloud-clone (5 versions spoofing Google Cloud), and cms-storehub, cms-helpgit, Iyo cms-github (targeting CMS pipelines). Many packages mimicked payment and checkout modules, enterprise and internal web packages, analytics clients, UI foundations, developer utilities, component explorers, cloud- and Google-themed packages, and other modules commonly trusted in modern development workflows.

These were not isolated anomalies. What stood out this week was the scale of repeated publishing across the same package families, the reuse of naming patterns, and the way malicious packages were disguised to look like legitimate dependencies inside real software delivery pipelines.

This weekly snapshot is part of our ongoing Malicious Code Digest, where we validate new threats and provide actionable intelligence to help DevSecOps teams protect their pipelines before damage occurs.

Aan kala saarno waxa aan helnay toddobaadkan iyo sababta ay muhiim u tahay.

Confirmed Malicious Packages
deegaanka Xidhmada Taariikhda
shm@cloudplatform-single-spa/administration:99.99.100Waxaa laga yaabaa 30, 2026
shm@cloudplatform-single-spa/svp-s3-storage:99.99.100Waxaa laga yaabaa 30, 2026
shm@maximvs1538/os-npm:99.0.0Waxaa laga yaabaa 30, 2026
shm@easy-entry/landing-routes:99.9.5Waxaa laga yaabaa 30, 2026
shm@easy-entry/outside-registration-fop-navigator:99.9.5Waxaa laga yaabaa 30, 2026
shm@easy-entry/routes:99.9.5Waxaa laga yaabaa 30, 2026
shm@t-in-one/form_product_token:5.7.1Waxaa laga yaabaa 30, 2026
shm@capibar.chat/ui-kit:99.5.7Waxaa laga yaabaa 30, 2026
vscodexampp-manager:5.1.3Waxaa laga yaabaa 30, 2026
shm@chat-template/auth:1.0.0Waxaa laga yaabaa 31, 2026
shmjson-to-simple-graphql-schema:1.0.0Jun 1, 2026
shm@gs-select/savings-client-application:99.0.0Jun 1, 2026
shmnemo-reporter:1.8.2Jun 1, 2026
shmcms-github:4.2.4Jun 1, 2026
shmcms-helpgit:4.2.6Jun 1, 2026
shmcms-helpgit:4.2.8Jun 1, 2026
shmcms-storehub:1.3.4Jun 1, 2026
shmcms-storehub:1.3.5Jun 1, 2026
shmcms-storehub:1.3.6Jun 1, 2026
pypisimtooreal-cli:0.3.0Jun 1, 2026
shmretail-location-strategy-frontend:1.1.1Jun 1, 2026
shmretail-location-strategy-frontend:1.1.2Jun 1, 2026
shmconversa-sdk:2.0.2Jun 1, 2026
shmveltrix:9.0.0Jun 1, 2026
shmveltrix:9.0.1Jun 1, 2026
shmjingmeideshishi:1.0.4Jun 1, 2026
shmjingmeideshishi:1.0.5Jun 1, 2026
shm@tse-digital/core:99.0.0Jun 1, 2026
shm@telenor-se/core:99.0.0Jun 1, 2026
shm@ownit/core:99.0.0Jun 1, 2026
shmpatientdocuments:75.0.0Jun 1, 2026
shm@antoncallahan/aws-user-helper:6767.67.69Jun 1, 2026
shm@antoncallahan/aws-user-helper:6767.67.68Jun 1, 2026
shm@antoncallahan/aws-user-helper:6767.67.82Jun 1, 2026
shm@antoncallahan/aws-user-helper:6767.67.80Jun 1, 2026
shm@antoncallahan/aws-user-helper:6767.67.81Jun 1, 2026
shm@antoncallahan/aws-user-helper:6767.67.83Jun 1, 2026
shm@antoncallahan/aws-user-helper:6767.67.3Jun 1, 2026
shm@emcd-vue/auth:6.4.9Jun 1, 2026
shm@emcd-vue/b2b-pay-form:5.7.4Jun 1, 2026
shm@ccrm/user-storage-api-axios:5.0.1Jun 2, 2026
shmsensivity:2.5.8Jun 2, 2026
shmsensivity:2.5.12Jun 2, 2026
shmsensivity:2.5.16Jun 2, 2026
shmsensivity:2.5.17Jun 2, 2026
shmsensivity:2.5.18Jun 2, 2026
shmsensivity:2.5.19Jun 2, 2026
shmsensivity:2.5.20Jun 2, 2026
shmsensivity:2.5.21Jun 2, 2026
shmsensivity:2.5.22Jun 2, 2026
shmsensivity:2.5.23Jun 2, 2026
shmsensivity:2.5.24Jun 2, 2026
shmsensivity:2.5.25Jun 2, 2026
shmsensivity:2.5.26Jun 2, 2026
shmsensivity:2.5.27Jun 2, 2026
shmsensivity:2.5.28Jun 2, 2026
shmsensivity:2.5.29Jun 2, 2026
shmsensivity:2.5.30Jun 2, 2026
shmsensivity:2.5.31Jun 2, 2026
shmsensivity:2.5.32Jun 2, 2026
shmsensivity:2.5.41Jun 2, 2026
shmsensivity:2.5.42Jun 2, 2026
shmsensivity:2.5.43Jun 2, 2026
shmsensivity:2.5.44Jun 2, 2026
shmsensivity:2.5.45Jun 2, 2026
shmsensivity:2.5.46Jun 2, 2026
shmmeoo-ui-helpers:1.0.1Jun 2, 2026
shm@langgraphjs/toolkit:1.2.10Jun 2, 2026
shmeyevox:9.0.1Jun 2, 2026
shmsensivity:2.5.53Jun 3, 2026
shmsensivity:2.5.54Jun 3, 2026
shmsensivity:2.5.55Jun 3, 2026
shmsensivity:2.5.56Jun 3, 2026
shmsensivity:2.5.57Jun 3, 2026
shmsensivity:2.5.61Jun 3, 2026
shm@sentry-browser-sdk/profiling-node:1.0.1Jun 4, 2026
shm@sentry-browser-sdk/profiling-node:1.0.2Jun 4, 2026
shm@sentry-browser-sdk/profiling-node:1.0.5Jun 4, 2026
shmfundraiserserv:1.0.0Jun 4, 2026
shmsensivity:2.5.67Jun 4, 2026
shmsensivity:2.5.68Jun 4, 2026
shmvg-interaction-model:40.0.5Jun 4, 2026
shminternallib_v346:1.0.3Jun 4, 2026
shminternallib_v346:1.0.5Jun 4, 2026
shminternallib_v346:1.0.9Jun 4, 2026
shmai-sdk-helpers:0.2.1Jun 4, 2026
shmai-sdk-helpers:0.3.0Jun 4, 2026
shmai-sdk-helpers:0.3.1Jun 4, 2026
shmai-sdk-helpers:1.1.0Jun 4, 2026
shmai-sdk-helpers:1.1.1Jun 4, 2026
shmai-sdk-helpers:1.3.0Jun 4, 2026
shmai-sdk-helpers:1.4.0Jun 4, 2026
shmai-sdk-helpers:1.4.2Jun 4, 2026
shm@achuthvp/postinstall-poc:1.0.3Jun 4, 2026
shmsensivity:2.5.0Jun 5, 2026
shmsensivity:2.5.1Jun 5, 2026
shmsensivity:2.5.2Jun 5, 2026
shmsensivity:2.5.3Jun 5, 2026
shmsensivity:2.5.4Jun 5, 2026
shmsensivity:2.5.5Jun 5, 2026
shmsensivity:2.5.13Jun 5, 2026
shmsensivity:2.5.14Jun 5, 2026
shmsensivity:2.5.15Jun 5, 2026
shmsensivity:2.5.33Jun 5, 2026
shmsensivity:2.5.34Jun 5, 2026
shmsensivity:2.5.35Jun 5, 2026
shmsensivity:2.5.36Jun 5, 2026
shmsensivity:2.5.37Jun 5, 2026
shmsensivity:2.5.38Jun 5, 2026
shmsensivity:2.5.58Jun 5, 2026
shmsensivity:2.5.59Jun 5, 2026
shmsensivity:2.5.60Jun 5, 2026
shmsensivity:2.5.62Jun 5, 2026
shmsensivity:2.5.63Jun 5, 2026
shmsensivity:2.5.64Jun 5, 2026
shmsensivity:2.5.65Jun 5, 2026
shmsensivity:2.5.66Jun 5, 2026
shmsensivity:2.5.69Jun 5, 2026


Ku tiirsanaantaada Isha Furan ee ka dhanka ah Nuglaanta iyo Xeerka Xun

Don’t let malicious packages reach your pipelines. Ogaanshaha Hore ee Xygeni ee Malware-ka gives your team real-time visibility into the threats that matter most,  catching harmful dependencies before they ever touch your software.

As this week’s digest makes clear, the volume and sophistication of malicious package campaigns is not slowing down. Coordinated version flooding, payment module impersonation, and internal-sounding package names are just some of the tactics attackers are using to slip past standard defenses. Staying ahead of these threats requires more than periodic audits, it demands continuous monitoring across every registry your teams depend on.

Xygeni's Open Source Security solution scans and blocks harmful packages at the point of publication, across npm, PyPI, and beyond. By contextually prioritizing the vulnerabilities that pose the greatest real-world risk (and streamlining the remediation path for your DevSecOps teams) Xygeni helps you maintain secure, reliable software delivery without slowing development down.

qalabka-sca-tools-software-ka-samaynta-qalabka-falanqaynta
Mudnaanta sii, hagaaji, oo sug khataraha software-kaaga
Hel Akoonkaaga Bilaashka ah.
Looma baahna kaarka deynta.

Sug Horumarinta Software-kaaga iyo Bixintaada

oo leh Xygeni Product Suite