欢迎阅读最新版的 Xygeni 恶意代码文摘(月刊)。 我们的安全团队再次深入研究了真实的软件包数据,以发现传统工具经常遗漏的漏洞。目标是什么?在恶意软件包进入您的代码库或 pipeline.
在过去几周里,我们已经确认 225 个恶意软件包 在 npm 和 PyPI 上传播。许多人使用了诸如 注册近似域名, 依赖混淆和 数据泄露,所有这些都是为了逃避自动检查并危害您的环境。
每月更新是我们的一部分 正在进行的恶意软件报告,我们发布 每周调查结果确认新威胁,并帮助 DevSecOps 团队保持领先地位。如果您想了解我们分析过的每个恶意程序包的完整上下文,请务必 点击此处探索完整的恶意代码摘要.
第四周:发现超过 3 个包裹
主要发现:
NPM
- (npm)mysqldbstool:1.0.4
- (新PM) dashboard-演示:1.0.0
- (npm)brfsddd:0.0.1
- (npm)@0xzyo111/前端记录器:0.0.2
- (npm)@0xzyo111/前端记录器:0.0.1
- (npm)textlocal-messenger:1.0.1
- (npm)流游乐场:1.0.0
- (npm)动作模式编译器:99.0.9
- (npm)esm 软件包:7.0.2
- (npm)ngi-core:1.0.0
- (npm)解耦本地节点钻机:9.1.1
- (npm)测试123:3.0.3
- (npm)eth-exec-txs:1.0.0
- (npm)文件依赖项:7.0.1
- (npm) @vietnetco-distribution/internal-sdk:999.999.999
- (npm)代码处理器:99.0.9
- (npm)示例-lib:99.0.9
- (npm)对话记忆:99.0.9
- (npm)默认代理提供商:99.0.9
- (npm)解耦本地节点钻机:99.0.9
- (npm)axe-core-scanner:99.0.9
- (npm)azure-ai-foundry:99.0.9
- (npm)hyperion-react-native-testapp:10.0.0
- (npm)donuts.node:99.0.9
- (npm)turborepo-示例:16.0.0
- (npm)hubot-currencies:10.0.0
- (npm)mpesa-ui-组件:1.5.2
- (npm)lunasec:1.0.0
- (npm)tw-core-ui:1.0.1
- (npm)jet-os-detection:1.9.4
- (npm)@ivy-shared-components/iconslibrary:99.99.99
- (npm)公共工具和演示:1.0.0
- (npm)@huobi-lib/vulcan-js-sdk:10.11.0
- (npm)gx-ui-common:1.0.0
- (npm)gx-ui-common:1.2.63
- (npm)react-native-gainsight-px:1.12.5
- (npm)turborepo-测试助手:16.0.0
- (npm)mpesa-ui-组件:1.1.20
- (npm)bc-比较:4.1.1
- (npm)终端建议:1.0.2
- (npm)gx-ui-common:1.2.67
- (npm) mpesa-backoffice-ekyc-frontend:3.17.99
- (npm)mysql-dumpdiscord:1.0.2
- (npm)gx-ui-common:1.2.66
- (npm)gx-ui-common:1.2.65
- (npm) berachain-元数据:1.0.1
- (npm)enrichable-markdown-render:20.0.0
- (npm)eslint-插件-rdv-插入:6.99.99
- (npm)eslint-插件-rdv-插入:7.99.99
- (npm)库网站:6.0.2
- (npm)安装帮助模块:1.0.5
- (npm)安装帮助模块:2.1.2
- (npm)hb-otc:10.15.0
- (npm)newrelic 基础设施:8.9.1
- (npm)hb-otc:10.17.0
- (npm)gdex-sdk:1.0.9
- (npm)@huobi-lib/vulcan-js-sdk:10.10.0
- (npm)mysqldbstool:1.0.5
- (npm)mysqldbtool:1.0.3
- (npm)hrpqvq123111:1.0.0
- (npm)hrprce:1.0.0
- (npm)hrp9871:1.0.0
- (npm)json-rules-engine-examples:7.1.0
- (npm)calientepe主题:100.0.2
- (npm)internallib_v606:1.0.2
- (npm)stolbovsaseeminglyinnocentpackage2:0.30.1
- (npm)安装帮助模块:2.1.7
- (npm)internallib_v249:1.0.1
- (npm)notmall:2.1.2
- (npm)@s21games/游戏引擎:1.15.2
- (npm)@s21games/游戏引擎:1.15.5
- (npm)@s21games/游戏引擎:1.15.6
- (npm)@s21games/游戏引擎:1.15.8
- (npm)@s21games/游戏引擎:1.15.7
- (npm)@s21games/游戏引擎:1.15.10
- (npm)moduletestsimple5:1.1.0
- (npm)moduletestsimpletest5:1.1.1
- (npm)@s21games/游戏引擎:1.15.9
- (npm)@s21games/游戏引擎:1.15.4
- (npm)@s21games/游戏引擎:1.15.11
- (npm)@s21games/游戏引擎:1.15.12
- (npm)@s21games/游戏引擎:1.15.13
- (npm)@s21games/游戏引擎:1.15.14
- (npm)internallib_v714:1.0.2
- (npm)internallib_v714:1.0.3
- (npm)@s21games/游戏引擎:1.15.16
- (npm)internallib_v354:1.0.1
- (npm)@s21games/游戏引擎:1.15.17
- (npm)@s21games/游戏引擎:1.15.15
- (npm)@s21games/游戏引擎:1.15.19
- (npm)@s21games/游戏引擎:1.15.20
- (npm)@s21games/游戏引擎:1.15.21
- (npm)@s21games/游戏引擎:1.15.22
- (npm)@s21games/游戏引擎:1.15.23
- (npm)@s21games/游戏引擎:1.15.25
- (npm)@cryptochords/shared:1.0.2
- (npm)@s21games/游戏引擎:1.15.26
- (npm)vusd-lib:1.0.0
- (npm)@newth/mem0-redis-hybrid:1.0.0
- (npm)@callcenter-frontend/ui-components:99.0.2025091-3.2
- (npm)@callcenter-frontend/ui:99.0.2025091-3.1
- (npm)@callcenter-frontend/shared-types:99.0.2025091-3.1
- (npm)@callcenter-frontend/ui:99.0.2025091-3.15
- (npm)@callcenter-frontend/ui-components:99.0.2025091-3.14
- (npm)@callcenter-frontend/shared-types:99.0.2025091-3.13
- (npm)@callcenter-frontend/helpers:99.0.2025091-3.11
- (npm)@callcenter-frontend/services:99.0.2025091-3.12
- (npm)@callcenter-frontend/api:99.0.2025091-3.10
- (npm)internallib_v715:1.0.1
- (npm)@cnx-ui/cnx-ui-core:10.0.10
- (npm)@cnx-ui/cnx-ui-core:20.0.11
- (npm)@cnx-ui/cnx-ui-core:20.0.12
- (npm)kreme-crypto:0.0.1
- (npm)epxresser:5.1.0
- (npm)epxresser:5.1.1
- (npm)正则表达式验证器实用程序:1.0.0
- (npm)正则表达式验证器实用程序:1.0.8
- (npm)lynx-dev:1.0.1
- (npm)lynx-explorer:1.0.1
- (npm)humhub:5.0.3
- (npm)eslint-插件-无论什么:9.0.1
- (npm)保时捷官方:2.9.9
的PyPI
- (pypi)sinontop-utils:0.3.5
- (pypi)python-dev-工具包:0.1.9
第四周:发现超过 2 个包裹
主要发现:
NPM 包
- (npm) @ayuda/search-tree:1.1.6
- (npm)mv-hosp:1.0.0
- (npm)fb_helpers:0.0.3
- (npm)fb_systemd:0.0.3
- (npm)纸张下拉菜单:99.9.1
- (npm)react-markdown-v7:1.3.9
- (npm)sfly-服务:4.0.5
- (npm)sfly-web-vitals:4.0.7
- (npm)pahtkit-wasm:1.0.0
- (npm)vui-vform:10.12.0
- (npm)vui-vform:10.13.0
- (npm)hrpqwq123:1.0.0
- (npm)hrpq1wq123:1.0.0
- (npm)hr1pq1wq123:2.0.0
- (npm)hr1pq1wq123:3.0.0
- (npm)hrpqvq:3.0.0
- (npm)hrpqvq:1.0.0
- (npm)hrpqvq123:1.0.0
- (npm) 天七盛七世:1.0.0
- (npm)pahtkit-wasm:1.0.1
- (npm)pahtkit-wasm:1.0.2
- (npm)库网站:6.0.5
- (npm)广告反应包装器:99.1.0
- (npm)newrelic 基础设施:8.9.12
- (npm)newrelic-infra-operator:8.9.12
- (npm)newrelic-logging:8.9.12
- (npm)newrelic-pixie:8.9.12
- (npm)nri-kube-事件:8.9.12
- (npm)newrelic-k8s-metrics-适配器:8.9.12
- (npm)sfly-服务:4.0.1
- (npm)sfly-web-vitals:4.0.5
- (npm)ifood-consumer-help-v2:4.15.1999
- (npm)ifood-faster-remote-config:2.0.0
- (npm)com.revenuecat.purchases-unity:13.3.0
- (npm)com.revenuecat.purchases-unity:13.5.0
- (npm)com.revenuecat.purchases-unity:13.6.0
- (npm)epxressoo:5.1.2
- (npm)mcp-聊天客户端:1.0.0
- (npm)ifood-faster-remote-config:3.0.0
- (npm)aledade-org:1.0.0
- (npm)codex-monorepo:8.1.1
- (npm)tdm-共享核心库:99.0.0
- (npm)tdm-共享核心库:99.0.2
- (npm)tdm-共享核心库:99.0.3
- (npm)aledade-org:1.1.0
- (npm)collabs-influencer-ui:1.0.2
- (npm)@gc-crm/gc-crm-lib:9999.0.1
PyPI 软件包
- (pypi)steamgameoptions:0.1.0
- (pypi)steamgameoptions:0.1.1
- (pypi)steamgameoptions:0.1.2
第一周:发现超过 50 个包裹
主要发现:
NPM 包
- (npm)blackgoldpvt:1.0.0
- (npm)@huobi-lib/vulcan-js-sdk:10.11.0
- (npm)@stackgl/gl-conformance:9.999.999
- (npm)gen-studio:9.1.2
- (npm)解析记录器:3.3.6
- (npm)pp-react-分段控制器:99.0.3
- (npm)azure-rest-api-specs-eng-tools:1.0.1
- (npm)pp-com-组件:1.0.0
- (npm)pp-react-grid:1.0.0
- (npm)azure-ipam-ui:1.0.0
- (npm)powerbi-visuals-powerkpi:9.0.1
- (npm)测试123:3.0.3
- (npm) @vietnetco-distribution/internal-sdk:999.999.999
- (npm)解耦本地节点钻机:9.1.1
- (npm)paper-dropdown-input:99.9.3
- (npm)test343tttt:99.9.1
- (npm)paper-dropdown-input:99.9.5
- (npm)@auro-formkit/config:5.0.0
- (npm)paper-dropdown-input:99.9.6
- (npm) mpesa-backoffice-ekyc-frontend:3.17.99
- (npm)@hpx-core-experiences/react-my-account-commons:11.0.1
- (npm)@hpx-core-experiences/react-my-account-commons:11.0.2
- (npm)gx-ui-common:1.2.66
- (npm)gx-ui-common:1.2.65
- (npm)azure-open-ai-加速器:1.0.0
- (npm)azure-iot-stresstests:1.0.0
- (npm)azure-functions-templates-build:1.0.0
- (npm) berachain-元数据:1.0.1
- (npm)pp-react-theme:1.0.0
- (npm)pp-react-icons:1.0.1
- (npm)pp-react-icons:1.0.0
- (npm)pp-react-country-input:1.0.0
- (npm)设计系统组件角度工作区:1.1.13
- (npm)react-markdown-v7:1.3.9
- (npm)esm 软件包:7.0.2
- (npm)enrichable-markdown-render:20.0.0
- (npm)eslint-插件-rdv-插入:6.99.99
- (npm)eslint-插件-rdv-插入:7.99.99
- (npm)库网站:6.0.2
- (npm)代理模式:99.11.9
- (npm)实时演示:99.11.9
- (npm)hb-otc:10.15.0
- (npm)ngi-core:1.0.0
- (npm)newrelic 基础设施:8.9.1
- (npm)hb-otc:10.17.0
- (npm)moodle-core-widget-focusafterclose:1.2.0
- (npm)moodle-core-tooltip:1.2.0
- (npm)yui2-动画:2.2.0
- (npm)nexus-ai-前端:7.7.8
- (npm)@huobi-lib/vulcan-js-sdk:10.10.0
- (npm)文件依赖项:7.0.1
保护您的开源依赖项免受漏洞和恶意代码的侵害
恶意软件不再只是理论上的风险,它已经隐藏在公共软件包中。 Xygeni 的早期恶意软件检测,你可以通过捕捉威胁来减少暴露 一旦发布,在它们到达你的 pipeline.
我们的实时扫描和优先级排序引擎会持续监控 npm 和 PyPI 等公共注册中心。恶意软件包会被拦截、标记,并根据影响程度进行排序,让您准确了解需要修复的内容和时间。无论是域名抢注、依赖项混淆还是凭证窃取,我们都能帮助您的团队保持领先地位。
如果您想要全面了解每周和每月的调查结果,请查看完整的 恶意代码摘要.
保持安全。保持快速。使用 Xygeni 保持控制。
