Skip to content

2026-02-02 — Multiple NPM packages flagged as malware (GitHub advisories)

Summary

GitHub published multiple malware advisories affecting the following NPM packages (all affected versions: >= 0, patched versions: none):

  • launchdarkly-cpp-networking — https://github.com/advisories/GHSA-6pxm-pv2w-jh33
  • roots-cms-client — https://github.com/advisories/GHSA-q57g-x3rh-xj4x
  • something-not-in-cache — https://github.com/advisories/GHSA-gh8x-v73c-qx67
  • jshint-groups — https://github.com/advisories/GHSA-f2cq-h2rx-cjw6
  • yazxzpedia — https://github.com/advisories/GHSA-765g-mfj4-v8fw
  • libsignal-yazxzpedia — https://github.com/advisories/GHSA-vxf9-w3qp-wrwm
  • @hemanshu_patil/xcode-windows-x64 — https://github.com/advisories/GHSA-p6w8-c7rw-69c8
  • @hemanshu_patil/xcode — https://github.com/advisories/GHSA-7jjv-6pgj-6rv7
  • dise-pkt — https://github.com/advisories/GHSA-jgcj-pm32-hmcj
  • react-native-expofp — https://github.com/advisories/GHSA-326q-pfrf-3f2v
  • picking-miniapp — https://github.com/advisories/GHSA-8fp4-7xff-mpwm
  • react-dnd-legacy-html5-backend — https://github.com/advisories/GHSA-3g83-5rw5-fhpw
  • pap-client — https://github.com/advisories/GHSA-jm4p-wwjp-rrhj

GitHub’s advisory text is consistent across these: treat any system with the package installed or executed as potentially fully compromised.

What to do (durable guidance)

If you find any of these packages installed (directly or transitively), treat it as an incident.

Immediate actions

  1. Contain
  2. Stop affected workloads (CI runner, dev machine, container, server).

  3. Preserve evidence (process list, network connections, install logs, lockfiles).

  4. Identify exposure

  5. Search across:
    • package.json
    • package-lock.json / yarn.lock / pnpm-lock.yaml
    • build images and caches

  6. Check whether install hooks could have executed (preinstall/install/postinstall).

  7. Rotate secrets from a clean machine

  8. CI tokens, cloud credentials, SSH keys, registry tokens, app secrets.

  9. Rebuild clean

  10. Prefer re-imaging (don’t rely on “remove the package” as remediation).

Longer-term hardening

  • Use lockfiles and keep them under review.
  • Prefer ephemeral CI runners; avoid shared caches for sensitive steps.
  • Consider npm --ignore-scripts where feasible.
  • Generate SBOMs and scan/attest builds.