Skip to content

2026-02-03 — NPM malware wave continues (GitHub advisories)

Summary

GitHub published additional malware advisories affecting the following NPM packages (all affected versions: >= 0, patched versions: none unless otherwise specified by GitHub).

Newly flagged packages observed in the GitHub security advisory Atom feed:

  • aligned-array — https://github.com/advisories/GHSA-j7qj-j3fg-5xc8
  • transform-react-display-name — https://github.com/advisories/GHSA-q5v2-pv3p-r942
  • transform-exponentiation-operator — https://github.com/advisories/GHSA-9wj6-743f-j243
  • typescript-react-apollo — https://github.com/advisories/GHSA-r75h-h4r8-v8mp
  • transform-es2015-modules-amd — https://github.com/advisories/GHSA-c3j3-4q92-2fmj
  • transform-async-generator-functions — https://github.com/advisories/GHSA-c676-937q-qchw
  • typed-document-node — https://github.com/advisories/GHSA-g72g-cjcm-9rqx
  • netlify-project-helper — https://github.com/advisories/GHSA-c7jj-qv39-h43c
  • dns-troubleshoot-toolkit-xyz123 — https://github.com/advisories/GHSA-fr66-mh5r-h32m
  • ansi-universal-ui — https://github.com/advisories/GHSA-j2cw-hc39-qrw9
  • vite-ui-components — https://github.com/advisories/GHSA-ghx7-rp3h-537v
  • hemi-btc-staking-actions — https://github.com/advisories/GHSA-96cq-3x5w-5fr2
  • atg-atgse — https://github.com/advisories/GHSA-xfh5-c4pm-5p96
  • researchpoc — https://github.com/advisories/GHSA-pvcf-c7x9-273f

Additional advisories later in the same wave:

  • braintree-web-latest — https://github.com/advisories/GHSA-97xw-rj6v-j7xc
  • cheerio-core — https://github.com/advisories/GHSA-cf89-f5f4-vjmf
  • baileys-ud — https://github.com/advisories/GHSA-x3qj-8mg5-454f
  • supun-baileys — https://github.com/advisories/GHSA-8pm4-268p-f52g
  • baileys-dtz — https://github.com/advisories/GHSA-cj3x-rfp6-hvpq
  • freedom-baileys — https://github.com/advisories/GHSA-fxh3-4mx2-wr7c

Further advisories added after the feed updated again:

  • @ikeacnalan/icons — https://github.com/advisories/GHSA-4prp-gwjj-hvcx
  • cookie-parsers-env — https://github.com/advisories/GHSA-6895-8x2m-4vgj
  • chai-promise-tools — https://github.com/advisories/GHSA-2737-5rcq-jwmj

Additional advisories after another feed refresh (same malware wave):

  • kwp-analytics — https://github.com/advisories/GHSA-5j5h-h973-m92m
  • l2-contracts — https://github.com/advisories/GHSA-vpf8-7r9r-xj4q
  • epic-admin-ui — https://github.com/advisories/GHSA-28p2-g59r-757w
  • strengthifys — https://github.com/advisories/GHSA-5wwj-79v9-g888
  • frontend-js-state-web — https://github.com/advisories/GHSA-xj8r-jcfw-rgh6
  • react-responsive-carousel-v4 — https://github.com/advisories/GHSA-qq97-6wv4-mc44
  • internallib_v782 — https://github.com/advisories/GHSA-64mm-mg79-hvm8
  • @uselagoon/ui-library — https://github.com/advisories/GHSA-32mg-49pf-3c7v
  • tarax — https://github.com/advisories/GHSA-977v-pjj7-wg54
  • graphrix — https://github.com/advisories/GHSA-257q-hjm7-v3pp
  • epic-asset-uploader — https://github.com/advisories/GHSA-ph6h-g4vx-mhcw
  • eslint-config-stitch — https://github.com/advisories/GHSA-7583-6vm2-9c8v
  • eslint-config-minecraft-scripting — https://github.com/advisories/GHSA-rh9x-2vc7-83hh
  • eslint-config-nlx — https://github.com/advisories/GHSA-454v-pj98-2gmp
  • fingerprint-stitch — https://github.com/advisories/GHSA-6h22-pfff-vf2m
  • tsconfig-stitch — https://github.com/advisories/GHSA-pfpv-rmhq-q3pm
  • solhint-plugin-hyperlane — https://github.com/advisories/GHSA-mp62-7w25-x8jm
  • tailwindcss-forms-kit — https://github.com/advisories/GHSA-pj8r-8q3r-5ph7
  • fileupload-util — https://github.com/advisories/GHSA-jmrr-h39h-r9g2

GitHub’s advisory text is consistent across these: treat any system with the package installed or executed as potentially fully compromised.

What to do (durable guidance)

If you find any of these packages installed (directly or transitively), treat it as an incident.

Immediate actions

  1. Contain
  2. Stop affected workloads (CI runner, dev machine, container, server).

  3. Preserve evidence (process list, network connections, install logs, lockfiles).

  4. Identify exposure

  5. Search across:
    • package.json
    • package-lock.json / yarn.lock / pnpm-lock.yaml
    • build images and caches

  6. Check whether install hooks could have executed (preinstall/install/postinstall).

  7. Rotate secrets from a clean machine

  8. CI tokens, cloud credentials, SSH keys, registry tokens, app secrets.

  9. Rebuild clean

  10. Prefer re-imaging (don’t rely on “remove the package” as remediation).

Longer-term hardening

  • Use lockfiles and keep them under review.
  • Prefer ephemeral CI runners; avoid shared caches for sensitive steps.
  • Consider npm --ignore-scripts where feasible.
  • Generate SBOMs and scan/attest builds.