Embedded Malicious Code

What it is

The package itself contains malicious code (a supply-chain compromise or malicious publish).

How to fix it

Remove the package immediately, rotate any exposed secrets, and pin to a known-good version.

How to avoid it

Pin and verify dependencies, watch for typosquats, and review new maintainers/publishes.

Known Embedded Malicious Code vulnerabilities

• NPM-SHAI-HULUD-2-2025 — critical · npm/@asyncapi/*, @posthog/*, Zapier, ENS packages (Shai-Hulud 2.0) · exploited
• GHSA-6m4g-vm7c-f8w6 — critical · npm/@ctrl/tinycolor, ngx-bootstrap, ng2-file-upload (+500 more) · exploited
• NPM-QIX-CHALK-DEBUG-2025 — critical · npm/chalk, debug, ansi-styles, strip-ansi, color-convert (+13 more) · exploited
• GHSA-CXM3-WV7P-598C — critical · npm/nx, @nx/devkit, @nx/js, @nx/workspace, @nx/node, @nx/eslint · exploited
• NPM-GLUESTACK-REACT-NATIVE-ARIA-2025 — critical · npm/@react-native-aria/*, @gluestack-ui/* (16+ packages) · exploited
• CVE-2025-30154 — high · CI/CD/reviewdog/action-setup · exploited
• CVE-2025-30066 — high · CI/CD/tj-actions/changed-files · exploited
• NPM-RSPACK-VANT-2024 — high · npm/@rspack/core, @rspack/cli, vant · exploited
• SC-ULTRALYTICS-PYPI-2024 — high · PyPI/ultralytics · exploited
• NPM-SOLANA-WEB3JS-2024 — critical · npm/@solana/web3.js · exploited
• NPM-LOTTIE-PLAYER-2024 — critical · npm/@lottiefiles/lottie-player · exploited
• NPM-LAZARUS-CONTAGIOUS-INTERVIEW-2024 — high · npm/Lazarus 'Contagious Interview' malicious packages (campaign) · exploited
• SC-POLYFILL-IO-2024 — high · CDN/polyfill.io · exploited
• CVE-2024-3094 — critical · Linux/Open Source/xz-utils / liblzma · exploited
• CVE-2023-29059 — critical · Software vendor/3CXDesktopApp · exploited
• PYPI-TORCHTRITON-2022 — high · PyPI/torchtriton (PyTorch-nightly) · exploited
• SC-CTX-PHPASS-2022 — high · PyPI/ctx / phpass · exploited
• CVE-2022-23812 — high · npm/node-ipc, peacenotwar · exploited
• NPM-COLORS-FAKER-2022 — high · npm/colors, faker · exploited
• NPM-COA-RC-2021 — critical · npm/coa, rc · exploited
• NPM-UA-PARSER-JS-2021 — critical · npm/ua-parser-js · exploited
• SC-KASEYA-VSA-2021 — critical · Software vendor · MSP/Kaseya VSA
• SC-CODECOV-BASH-UPLOADER-2021 — high · CI/CD/Codecov Bash Uploader · exploited
• SC-PHP-GIT-2021 — critical · CI/CD · Git infrastructure/PHP (php-src) · exploited
• SC-SOLARWINDS-SUNBURST-2020 — critical · Software vendor/SolarWinds Orion · exploited
• CVE-2019-15107 — critical · CI/CD · Build server/Webmin · exploited
• SC-ASUS-SHADOWHAMMER-2019 — high · Software vendor/ASUS Live Update · exploited
• NPM-EVENT-STREAM-2018 — critical · npm/event-stream, flatmap-stream · exploited
• GHSA-hxxf-q3w9-4xgw — high · npm/eslint-scope, eslint-config-eslint · exploited
• SC-CCLEANER-2017 — high · Software vendor/CCleaner (Piriform / Avast)
• CVE-2017-16074 — high · npm/crossenv (+ ~37 typosquat packages) · exploited
• SC-MEDOC-NOTPETYA-2017 — critical · Software vendor/M.E.Doc (MEDoc) accounting software · exploited
• INFRA-NOTPETYA-2017 — critical · Windows · Wiper/NotPetya (global outbreak)
• SC-XCODEGHOST-2015 — high · Build system/Xcode (compromised compiler) · exploited
• OPSEC-SONY-PICTURES-2014 — critical · Entertainment/Sony Pictures Entertainment

Stateward flags Embedded Malicious Code in your own code and dependencies on every pull request.

Summarize with AI

ChatGPTClaudePerplexity