Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.
Inedo Security Labs
  • Home
  • Malicious Packages

Malicious Packages

Malicious packages are intentionally crafted to appear legitimate while containing harmful code. Unlike traditional vulnerabilities—which are flaws in otherwise valid software—these packages are designed from the outset to compromise systems. These typically rely on ecosystem-level deception rather than technical exploits, and may include:

  • Credential stealers
  • Cryptominers
  • Backdoors
  • Data exfiltration tools

These attacks work by tricking developers into installing them. Common techniques include typosquatting (e.g., pandas-datafrmae), dependency confusion, namespace impersonation, and compromised or poisoned updates. Because they exploit trust in package ecosystems, they can be highly effective even without sophisticated exploitation.

Traditional scoring systems like CVSS don’t apply here—there is no “severity” to calculate when the intent is already malicious. A malicious package represents immediate, direct risk: it does not depend on specific conditions and executes harmful behavior as designed. As such, these should always be treated as high-risk and prevented from entering your environment.

Our research team continuously monitors package ecosystems to identify these threats. In ProGet, malicious packages are automatically flagged, blocked from new use, and identified in existing dependencies where possible—supporting a containment-focused approach to prevent, detect, and respond quickly.

Inedo Security Labs Identified 239003 Malicious Packages

Search
tailwind-textform-fill (npm)added June 24, 2026html-to-gutenberg (npm)added June 24, 2026fetch-page-assets (npm)added June 24, 2026vscode-test-web (npm)added June 24, 2026delta-time-32bb (npm)added June 23, 2026npm-bug-bounty-test1-rhyselsmore (npm)added June 23, 2026ppt-creator (npm)added June 23, 2026bug-monorepo (npm)added June 23, 2026theme-color-picker (npm)added June 23, 2026chai-as-operated (npm)added June 23, 2026markdownlint-cli2-fix (npm)added June 23, 2026buffer-wrap-67d7 (npm)added June 23, 2026hex-conv-ae7a (npm)added June 23, 2026safe-json-38bd (npm)added June 23, 2026wagmi_util (npm)added June 23, 2026log-taker (npm)added June 23, 2026react-check-error (npm)added June 23, 2026triage-bot (npm)added June 23, 2026therdweb (npm)added June 23, 2026thidweb (npm)added June 23, 2026thurdweb (npm)added June 23, 2026rainbownkit (npm)added June 23, 2026thirdwebjs (npm)added June 23, 2026rainbokit (npm)added June 23, 2026hunsterx-package (npm)added June 23, 2026@zynkit/probe (npm)added June 23, 2026@frostnode/probe (npm)added June 23, 2026@gleamkit/probe (npm)added June 23, 2026ts-grok (npm)added June 23, 2026ts-escrow (npm)added June 23, 2026ts-bn-lint-helper (npm)added June 23, 2026ts-bn-lint (npm)added June 23, 2026ts-escro (npm)added June 23, 2026@muaththir/api (npm)added June 23, 2026ts-biginteger-lib (npm)added June 23, 2026cursorai-agent (npm)added June 23, 2026@ravespaceio/browser-input (npm)added June 23, 2026@ravespaceio/rave-engine (npm)added June 23, 2026web3-crypto-address-utils (npm)added June 23, 2026web3-eth-util (npm)added June 23, 2026web3-eth-utils (npm)added June 23, 2026calculate-helper (npm)added June 23, 2026security-alerts-sdk (PyPI)added June 23, 2026security-alerts-sdk (Conda)added June 23, 2026sync-external (npm)added June 23, 2026ts-sudo (npm)added June 23, 2026mjs-eslint-service (npm)added June 23, 2026server-parket (npm)added June 23, 2026ts-predict-helper (npm)added June 23, 2026ts-arithmetic-helper (npm)added June 23, 2026
More Packages

v2.0.5 © 2026 Inedo, LLC