Qho ngeveki, iinkqubo zethu zokufumanisa ii-malware ziskena amawaka eepakethe ezintsha nezihlaziyiweyo kuzo zonke iirejista zikarhulumente ezifana ne-npm kunye ne-PyPI. Kule veki bekungekho nto ingaqhelekanga.
Siqinisekisile iipakeji ezinobuthi ezingaphezu kwama-200 phakathi kwe-12 kaJuni kunye ne-19 kaJuni 2026, ikakhulu kwi-npm, kunye nezinye iimeko kwi-PyPI. Ezininzi zivele kwiiqela ezidibeneyo, ukukhutshwa okuphindaphindiweyo kobuthi okupapashwe phantsi kwamagama afanayo okanye kwiintsapho zeepakeji ezinxulumeneyo.
Ityala elibalaseleyo kule veki beli sensivity, eyazalisa i-npm ngeenguqulelo ezingaphezu kwama-70 ezikhutshiweyo kuluhlu lwe-2.5.x, eziqinisekisiweyo kwiintsuku ezininzi. Amanye amaqela aphawulekayo aquka igagasi le @solana-labs ii-typosquats ezijolise kwinkqubo yendalo yeSolana (web3.js, web3-js, etherjs, spl-toke, ancor, web3js — kwiiphulo ezimbini ezahlukeneyo zokupapasha ngoJuni 7 nangoJuni 8), @nstrlabs usapho (sdk, ixel, utils, shared-components, api-client, auth — uhlaselo lokudideka kokuxhomekeka ngokuchasene nesithuba segama lephakheji yangaphakathi), i @klapp-login-platform iqela (native-sdk, oidc, routes — ukulingisa iqonga lokuqinisekisa), internallib_v557 kwaye internallib_v984 (iinguqulelo ezininzi zabakhohlisi bangaphakathi bethala leencwadi abangaqondakaliyo), pocteszep (Iinguqulelo ezi-6 ezipapashwe ngoJuni 11), kunye neqela leenkonzo ze-crypto kunye ne-Web3 kuquka blockchain-helper-0, ethereum-kit-1, ethereum-kit-9, crypto-utils-7, wallet-sdk-9, defi-tools-39, swap-sdk-87, yaye farming-tools-12. The morningstar-design-system iphakheji ivele kwiinguqulelo ezintathu ngoJuni 10, izenza ngathi yinkqubo yoyilo lwezemali eyaziwayo.
Ukususela nge-13 kaJuni ukuya phambili, isantya sanda ngokukhawuleza. houzidawang806 Iqela lodwa libange iinguqulelo ezingaphezu kwama-25 ezipapashwe ngosuku olunye, zadityaniswa nabazalwana noodade houzidawang807 kwaye houzidawang808. The metrics-pipeline-d8k2 Iphakheji iphinde yapapashwa rhoqo kwiinguqulelo ezingama-21 phakathi komhla we-15 kuJuni kunye nomhla we-18 kuJuni — iphulo lokubaleka eliqhubekekayo eliyilelwe ukuhlala liphambili kuluhlu lwabantu abathintelayo. friendly-greeter-demo Iphakheji iqhubekile nokuvela kwiinguqulelo ezahlukeneyo kulo lonke iveki. Imizamo emitsha yokudideka kokuxhomekeka ivele phantsi xy-shared, axl-ui, loadninja-shared, carousel-controller-mixin, token-prices-cron, hemi-supply-cron, portal-backend, vault-strategies, kunye nabanye abaninzi — bonke bephethe amanani enguqulelo anyuswe kakhulu kuluhlu lwe-999.x. Iqela elitsha lamagama e-utility aqhelekileyo anee-hex suffixes ezingacwangciswanga (color-utils-dee0, data-utils-d703, string-tools-be6c, type-check-816d, fmt-helpers-794b, metrics-probe-*) yavela ngoJuni 18–19, ihambelana nobhaliso olubhaliweyo. Iveki ivalwe ngo trimprompt, trimprompt-hub, claude-cup, yaye web3-crypto-address-utils iqinisekisiwe ngoJuni 19. KwiPyPI, neuralbridge-sdk (iinguqulelo ezintlanu kwi-4.5.x–5.1.x), deepstrain, teambot-ai, hello-test-s1, yaye aiaddin-agent ziqinisekisiwe kulo lonke iveki.
Ezi yayingezizo izinto ezingaqhelekanga ezingaqhelekanga. Okuye kwagqama kule veki yayikukuxinana kohlaselo lokudideka kokuxhomekeka kwiindawo zamagama eepakethe zangaphakathi, iiphulo zokupapasha eziqhubekekayo zeentsuku ezininzi ezenzelwe ukuhlala ixesha elide ukudlula ukususwa, ukujoliswa okuqhubekayo kwezixhobo zeWeb3 kunye neDeFi (ipateni eye yanda kakhulu ngo-2026), kunye nokusetyenziswa okukhulayo kwamagama eepakethe aqhelekileyo, afana nengxolo ayilelwe ukuphepha ukubonwa ngokuxubana nemithi eqhelekileyo yokuxhomekeka.
Le vidiyo yeveki iyinxalenye yeMalicious Code Digest yethu eqhubekayo, apho siqinisekisa khona izisongelo ezintsha kwaye sinike ulwazi olusebenzayo ukunceda amaqela eDevSecOps akhusele pipelinengaphambi kokuba kwenzeke umonakalo. Masihlalutye oko sikufumeneyo kule veki kunye nesizathu sokuba kubalulekile.
Musa Ukuvumela Iiphulo Ezidibeneyo Zifikelele Kwimiba Yakho Pipelines
Ingxelo yale veki ibingengomngcipheko omnye; ibingomlinganiselo omkhulu. Iipakeji ezingaphezulu kwama-200 eziqinisekisiweyo, iinguqulelo eziqhubekayo zigcwele iintsuku ezininzi, kunye neephulo zokubhalisa ngobuninzi ezibhalwe ngesandla ezihamba ngokukhawuleza kunokuba uphononongo olwenziwe ngesandla lunokulandelwa. Abahlaseli abalindeli ukuba ufikelele.
Ukufunyanwa kweMalware yeXygeni kwangethuba Ijonga i-npm, i-PyPI, kunye nezinye iirejistri rhoqo, iphawula izoyikiso ngexesha lokupapashwa, kungekhona emva kokuba zifike kwisakhiwo. Xa iphulo lipapasha iinguqulelo ezingama-21 zephakheji efanayo enobungozi kwiintsuku ezine, iskena seveki nganye asifumani nto ngexesha.
IXygeni's Open Source Security Isisombululo sinika amaqela akho eDevSecOps ukubonakala kwangexesha langempela kunye nokubekwa phambili kwezinto abazidingayo ukuze bahlale bephambili kolu hlobo loxinzelelo oludibeneyo, ngoko ke pipelineHlala ucocekile ngaphandle kokulibazisa amaqela akho.




