每週我們的惡意軟體偵測系統會掃描 npm 和 PyPI 等公共註冊表中數千個新增和更新的軟體套件。本周也不例外。
We confirmed over 90 malicious packages between June 26 and July 3, 2026, across npm and PyPI, with several campaigns continuing from previous weeks and new ones emerging.
这 nolimit-agent campaign continued publishing new versions (1.0.306, 1.0.315, 1.0.316), extending the Microsoft 365 device-code phishing framework we documented in detail in our DeviceDoor report。 “ anthropic-toolkit cluster was the dominant new campaign, with 20 versions confirmed on June 30 alone — directly targeting packages associated with Anthropic’s developer tooling. The cursed-modules family published over 15 versions between July 1 and July 2 across both standard and inflated version numbers (999.x), following the dependency confusion playbook. The date-fns-lite cluster (5 versions, July 2) continued the pattern of impersonating legitimate, widely-used utility packages.
The AI tooling targeting pattern established last week with ollama-helpers 以及 openai-agents-helpers extended into this period with ai-explain, ai-sdk-helpers以及 @langgraphjs/toolkit, all confirmed between June 28 and June 30. The @szc-ft/mcp-szcd-client package (versions 0.38.0 and 0.39.0, confirmed July 2) introduced a new pattern we are tracking as 技能洩漏: a credential decryptor hidden inside an MCP skill rather than an install hook, invisible to scanners that stop at postinstall. We published a full SkillLeak analysis here.
這份每週簡報是我們持續進行的工作的一部分。 惡意程式碼摘要我們在此驗證新威脅並提供可操作的情報,以協助 DevSecOps 團隊保護其安全。 pipeline在損失發生之前。讓我們來分析一下本週的發現及其重要性。
90+ Packages. One Week. The Pipeline Is the Target.
This week’s digest reflects a shift in attacker focus, not just volume, but precision. Sustained version flooding, AI tooling clusters, MCP-layer credential theft, and dependency confusion attacks against internal monorepo namespaces. The campaigns are automated and continuous. A weekly scan is not a defense.
Xygeni Early Malware Warning monitors npm, PyPI, and other registries in real time, flagging threats at the moment of publication, before they reach a build, before an AI agent installs them autonomously, and before a SkillLeak-style payload has a chance to execute. When anthropic-toolkit publishes 20 versions in a single day or cursed-modules floods npm with version 999.x across two days, detection that runs after the fact is already too late.
Xygeni 的 Open Source Security platform gives DevSecOps teams the real-time detection and prioritization needed to stay ahead of coordinated supply chain pressure, so your pipeline保持清潔,同時不拖慢團隊速度。




