Masonto onke, izinhlelo zethu zokuthola i-malware ziskena izinkulungwane zamaphakheji amasha nabuyekeziwe kuzo zonke izindawo zokubhalisa zomphakathi ezifana ne-npm ne-PyPI. Kuleli sonto bekungenjalo.
Siqinisekisile amaphakheji anonya angaphezu kuka-200 phakathi kukaJuni 12 noJuni 19, 2026, ikakhulukazi phakathi nobusuku, kanye namacala engeziwe ku-PyPI. Amaningana avele kumaqoqo ahlanganisiwe, ukukhishwa okunonya okuphindaphindiwe okushicilelwe ngaphansi kwamagama afanayo noma emindenini yamaphakheji ahlobene eduze.
Icala elivelele kuleli sonto beliwukuthi sensivity, eyagcwalisa i-npm ngokukhishwa okungaphezu kuka-70 okuhunyushwe kuhlu lwe-2.5.x, okuqinisekisiwe ezinsukwini eziningi. Amanye amaqoqo aphawulekayo afaka igagasi le- @solana-labs ama-typosquat aqondiswe ohlelweni lwe-ecosystem lwe-Solana (web3.js, web3-js, etherjs, spl-toke, ancor, web3js — emikhankasweni emibili yokushicilela ehlukene ngoJuni 7 nangoJuni 8), @nstrlabs umndeni (sdk, ixel, utils, shared-components, api-client, auth — ukuhlaselwa kokudideka kokuthembela endaweni yegama lephakheji yangaphakathi), i @klapp-login-platform iqembu (native-sdk, oidc, routes — ukuzenza ipulatifomu yokuqinisekisa), internallib_v557 futhi internallib_v984 (izinguqulo eziningi zabakhohlisi bangaphakathi abafihliwe), pocteszep (Izinguqulo ezi-6 ezishicilelwe ngoJuni 11), kanye neqoqo lezinsiza ze-crypto kanye ne-Web3 okuhlanganisa blockchain-helper-0, ethereum-kit-1, ethereum-kit-9, crypto-utils-7, wallet-sdk-9, defi-tools-39, swap-sdk-87, Futhi farming-tools-12. The morningstar-design-system iphakheji ivele ngezinguqulo ezintathu ngoJuni 10, izenza uhlelo lokuklama lwezezimali oludumile.
Kusukela ngoJuni 13 kuqhubeke, ijubane lashesha. houzidawang806 Iqembu lodwa lakhiqiza izinguqulo ezingaphezu kuka-25 ezishicilelwe ngosuku olulodwa, zahlanganiswa yizingane zakubo houzidawang807 futhi houzidawang808. The metrics-pipeline-d8k2 Iphakheji ishicilelwe kabusha njalo ezinguqulweni ezingu-21 phakathi kukaJuni 15 noJuni 18 — umkhankaso wokubalekela oqhubekayo owenzelwe ukuhlala uphambili kunohlu oluvinjelwe. friendly-greeter-demo Iphakheji ilokhu ivela kuzo zonke izinguqulo phakathi nesonto. Imizamo emisha yokudideka kokuthembela ivele ngaphansi kwe- xy-shared, axl-ui, loadninja-shared, carousel-controller-mixin, token-prices-cron, hemi-supply-cron, portal-backend, vault-strategies, kanye nabanye abaningana — bonke baphethe izinombolo zenguqulo ezikhuphukile kububanzi be-999.x. Iqoqo elisha lamagama asetshenziswayo ajwayelekile anezijobelelo ze-hex ezingahleliwe (color-utils-dee0, data-utils-d703, string-tools-be6c, type-check-816d, fmt-helpers-794b, metrics-probe-*) yavela ngoJuni 18-19, ihambisana nokubhaliswa kwenqwaba okubhalwe phansi. Isonto livaliwe ngo trimprompt, trimprompt-hub, claude-cup, Futhi web3-crypto-address-utils kuqinisekiswe ngoJuni 19. Ku-PyPI, neuralbridge-sdk (izinguqulo ezinhlanu ku-4.5.x–5.1.x), deepstrain, teambot-ai, hello-test-s1, Futhi aiaddin-agent kwaqinisekiswa kulo lonke isonto.
Lokhu kwakungezona izinto ezingavamile ezihlukile. Okuvelele kuleli sonto kwakuwukuqongelela kokuhlaselwa kokudideka kokuthembela ezindaweni zamagama zamaphakheji angaphakathi, imikhankaso yokushicilela yezinsuku eziningi eqhubekayo eyenzelwe ukuhlala isikhathi eside kunezo ezisusiwe, ukuqondiswa okuqhubekayo kwe-Web3 kanye ne-DeFi tooling (iphethini esheshile kakhulu ngo-2026), kanye nokusetshenziswa okwandayo kwamagama amaphakheji ajwayelekile, afana nomsindo aklanyelwe ukugwema ukutholakala ngokuxubana nezihlahla ezivamile zokuthembela.
Lesi sithombe samasonto onke siyingxenye ye-Malicious Code Digest yethu eqhubekayo, lapho siqinisekisa khona izinsongo ezintsha futhi sinikeze ubuhlakani obusebenzayo ukusiza amaqembu e-DevSecOps ukuvikela pipelinengaphambi kokuba kwenzeke umonakalo. Ake sichaze lokho esikutholile kuleli sonto nokuthi kungani kubalulekile.
Ungavumeli Imikhankaso Ehlelekile Ifinyelele Eyakho Pipelines
Ingxoxo yaleli sonto yayingeyona ingozi eyodwa; yayimayelana nobukhulu. Amaphakheji angaphezu kuka-200 aqinisekisiwe, inguqulo eqhubekayo yagcwala izinsuku eziningi, kanye nemikhankaso yokubhalisa ngobuningi ebhalwe phansi ehamba ngokushesha kunalokho ukubuyekezwa ngesandla okungakulandela. Abahlaseli abalindeli ukuthi ubambe.
Ukutholwa Kwe-Malware Yasekuqaleni kwe-Xygeni Iqapha i-npm, i-PyPI, kanye nezinye izikhungo zokubhalisa ngokuqhubekayo, iphawula izinsongo ngesikhathi sokushicilelwa, hhayi ngemuva kokuthi sezifikile esakhiweni. Lapho umkhankaso ushicilela izinguqulo ezingu-21 zephakheji efanayo enonya ezinsukwini ezine, ukuskena kwamasonto onke akutholi lutho ngesikhathi.
I-Xygeni's Open Source Security Isixazululo sinikeza amaqembu akho e-DevSecOps ukubonakala kwesikhathi sangempela kanye nokubeka phambili abakudingayo ukuze bahlale phambili kulolu hlobo lokucindezela okuhlanganisiwe, ngakho-ke pipelineHlala uhlanzekile ngaphandle kokunciphisa ijubane lamaqembu akho.




