Masonto onke, izinhlelo zethu zokuthola i-malware ziskena izinkulungwane zamaphakheji amasha nabuyekeziwe kuzo zonke izindawo zokubhalisa zomphakathi ezifana ne-npm ne-PyPI. Kuleli sonto bekungenjalo.
Siqinisekisile amaphakheji angaphezu kuka-90 anonya phakathi kukaJuni 26 noJulayi 3, 2026, phakathi kuka-npm no-PyPI, kanye nemikhankaso eminingana eqhubekayo kusukela emasontweni adlule kanye nemisha esanda kuvela.
The nolimit-agent umkhankaso uqhubeke nokushicilela izinguqulo ezintsha (1.0.306, 1.0.315, 1.0.316), wandisa uhlaka lwe-phishing lwekhodi yedivayisi ye-Microsoft 365 esilubhale ngokuningiliziwe encwadini yethu Umbiko we-DeviceDoor. The anthropic-toolkit I-cluster yayiyimkhankaso omusha ovelele, enezinguqulo ezingu-20 eziqinisekisiwe ngoJuni 30 kuphela — eziqondiswe ngqo kumaphakheji ahlobene namathuluzi onjiniyela be-Anthropic. cursed-modules umndeni ushicilele izinguqulo ezingaphezu kuka-15 phakathi kukaJulayi 1 noJulayi 2 kuzo zombili standard kanye nezinombolo zenguqulo ezikhuphukile (999.x), kulandela incwadi yokudlala yokudideka kokuxhomekeka. date-fns-lite Iqembu (izinguqulo ezi-5, ngoJulayi 2) laqhubeka nephethini yokuzenza amaphakheji ezinsiza asemthethweni, asetshenziswa kabanzi.
Iphethini yokuqondisa amathuluzi e-AI eyasungulwa ngesonto eledlule nge ollama-helpers futhi openai-agents-helpers kwandiswe kulesi sikhathi nge ai-explain, ai-sdk-helpers, Futhi @langgraphjs/toolkit, konke kuqinisekiswe phakathi kukaJuni 28 noJuni 30. @szc-ft/mcp-szcd-client iphakheji (izinguqulo 0.38.0 kanye no-0.39.0, kuqinisekiswe ngoJulayi 2) yethule iphethini entsha esiyilandelayo njengoba I-SkillLeak: i-decryptor yokuqinisekisa efihliwe ngaphakathi kwekhono le-MCP kune-hook yokufaka, engabonakali kuma-scanner ahlala ngemuva kokufaka. Sishicilele i- ukuhlaziywa okugcwele kwe-SkillLeak lapha.
Lesi sithombe samasonto onke siyingxenye yesithombe sethu esiqhubekayo I-Malacious Code Digest, lapho siqinisekisa khona izinsongo ezintsha futhi sinikeze ubuhlakani obusebenzayo ukusiza amaqembu e-DevSecOps ukuvikela pipelinengaphambi kokuba kwenzeke umonakalo. Ake sichaze lokho esikutholile kuleli sonto nokuthi kungani kubalulekile.
Amaphakheji angaphezu kuka-90. Isonto Elilodwa. Pipeline Ingabe i-Target.
Umbiko waleli sonto ubonisa ushintsho ekugxileni komhlaseli, hhayi nje kuphela ivolumu, kodwa ngaphambicisi-ion. Ukukhukhula kwenguqulo eqhubekayo, amaqoqo amathuluzi e-AI, ukwebiwa kweziqinisekiso ze-MCP-layer, kanye nokuhlaselwa kokudideka kokuthembela ezikhaleni zamagama zangaphakathi ze-monorepo. Imikhankaso iyenzeka ngokuzenzakalela futhi iyaqhubeka. Ukuskena kwamasonto onke akusona isivikelo.
Isexwayiso Se-Malware Yasekuqaleni ye-Xygeni iqapha i-npm, i-PyPI, kanye nezinye izikhungo zokubhalisa ngesikhathi sangempela, iphawula izinsongo ngesikhathi sokushicilelwa, ngaphambi kokuba zifike esakhiweni, ngaphambi kokuba i-ejenti ye-AI izifake ngokuzimela, nangaphambi kokuba umthwalo wesitayela se-SkillLeak ube nethuba lokuqalisa. anthropic-toolkit ishicilela izinguqulo ezingu-20 ngosuku olulodwa noma cursed-modules i-floods npm enenguqulo engu-999.x ezinsukwini ezimbili, ukutholwa okulandela iqiniso sekuvele sekwephuze kakhulu.
I-Xygeni's Open Source Security ipulatifomu inikeza amaqembu e-DevSecOps ukutholwa kwesikhathi sangempela kanye nokubekwa phambili okudingekayo ukuze ahlale phambili kunengcindezi yochungechunge lokuhlinzekwa okuhlanganisiwe, ngakho-ke pipelineHlala uhlanzekile ngaphandle kokunciphisa ijubane lamaqembu akho.




