GHSA-flagged malware brands — 16 autotel-*, 4 awaitly-*, and `ai-sdk-ollama` packages (Nov 2025–Jun 2026) marked embedded-malicious-code on 2026-06-29/30
GitHub's Advisory Database dropped CWE-506 (Embedded Malicious Code) records on 2026-06-29 and 2026-06-30 against 21 npm "brand" packages built up over months: the entire autotel-* observability family (16 packages, 400+ versions), the awaitly promise-utility family (4 packages, ~180 versions), and the ai-sdk-ollama Vercel AI-SDK typosquat (55 versions). Every published version of every listed package is now classified as malware.
- Detected by
- GitHub Advisory Database
- Also known as
- autotel malware brand · awaitly malware brand
- Ecosystems
- npm
- Packages tracked
- 21
What happened
On 2026-06-29 and 2026-06-30 GitHub's Advisory Database dropped 21 CWE-506 malware records against npm packages that had been sitting on the public registry as maintained "brand" packages for anywhere from 4 to 7 months. Every listed advisory covers every published version of the named package — the whole brand is flagged, not a single compromised release.
autotel-* — a fake OpenTelemetry auto-instrumentation family
The autotel brand launched on npm on 2025-11-26 with autotel-web, autotel-plugins, autotel-mcp, autotel-subscribers, and autotel-backends, and grew to 16 packages by June 2026: autotel-cli, autotel-hono, autotel-sentry, autotel-vitest, autotel-playwright, autotel-tanstack (Dec 2025 – Feb 2026), then autotel-mongoose, autotel-drizzle, autotel-mcp-instrumentation, autotel-eventcatalog, and autotel-pact (March–May 2026). Each package presents itself as OpenTelemetry auto-instrumentation for a specific runtime or framework — a plausible cover story that lines up with the real @opentelemetry/auto-instrumentations-* and @opentelemetry/instrumentation-* scoped packages.
Version cadence is uncharacteristic of a solo weekend project: autotel-subscribers reached v41.0.2 (97 releases), autotel-mcp reached v29.0.1 (74 releases), autotel-plugins reached v0.19.36 (67 releases). Fast SemVer churn on unrelated packages under one brand is a common pattern for building download-count credibility before a payload gets flipped.
awaitly-* — promise + database utility brand
The awaitly brand launched 2026-01-16 with awaitly@1.0.0, then expanded to awaitly-analyze (2026-01-22), awaitly-mongo (2026-01-27), and awaitly-libsql (2026-01-28). The main awaitly reached v1.34.0 across 42 releases; each database variant reached v22+ / v23+ majors across 44–52 releases. The absurdly high majors are the same dep-confusion-resolution tactic used by the 2026-06-29 internal-scope 99.9.1 batch (@deel-ui/animation, @webda-infra-ui/static-images), scaled down: any internal build looking up an unpinned awaitly-mongo name would resolve to the malware brand's v24.0.0 over a plausible v1.x / v2.x internal release.
ai-sdk-ollama — Vercel AI SDK Ollama provider typosquat
ai-sdk-ollama (55 versions since 2025-08-06) squats on the naming space of Vercel's ai SDK provider packages. The legitimate name is ollama-ai-provider; the malware flips the noun order to grab autocomplete drift. v4.0.0-beta.0 and multiple v3.x majors give the package a "mature" look for developers browsing releases.
GHSA attribution and payload
The advisories do not include a payload write-up or attribution. GitHub's standard boilerplate ("rotate all secrets from a different computer") is the only guidance. Given the length of the exposure window and the pattern-match to prior maintainer-takeover and long-tail-typosquat campaigns (nrwl.angular-console, @cap-js/*, @tanstack/*), defenders should assume the payload accessed credential material typical of an npm-lifecycle credential stealer (npm publish tokens, cloud IMDS, HashiCorp Vault, GitHub OIDC).
Disclosure timeline
- 2025-08-06 —
ai-sdk-ollamafirst published. - 2025-11-26 —
autotel-web,autotel-plugins,autotel-mcp,autotel-subscribers,autotel-backendsfirst published. - 2025-12-03 —
autotel-tanstackfirst published. - 2026-01-16 – 2026-01-28 —
awaitly,awaitly-analyze,awaitly-mongo,awaitly-libsqlfirst published. - 2026-02-11 – 2026-02-14 —
autotel-hono,autotel-sentry,autotel-vitest,autotel-playwrightfirst published. - 2026-03-24 —
autotel-mongoose,autotel-drizzlefirst published. - 2026-04-15 —
autotel-mcp-instrumentationfirst published. - 2026-05-24 – 2026-05-29 —
autotel-eventcatalog,autotel-pactfirst published. - 2026-06-29 — GitHub Advisories drops CWE-506 records for
autotel-cli,autotel-backends. - 2026-06-30 — Batch expansion covers the remaining
autotel-*packages, all fourawaitly*packages, andai-sdk-ollama.
Affected packages (21)
- npm
ai-sdk-ollama0.1.00.2.00.3.00.4.00.5.00.5.10.5.20.5.30.5.40.5.50.6.00.6.10.6.20.7.00.8.00.8.10.9.00.10.00.10.10.11.00.12.00.13.00.13.11.0.01.0.11.0.21.1.01.1.12.0.02.0.12.1.02.2.02.2.13.0.03.0.13.1.03.1.13.2.03.3.03.4.03.5.03.6.03.7.03.7.13.8.03.8.13.8.23.8.33.8.43.8.53.8.63.8.73.8.84.0.04.0.0-beta.0 - npm
autotel-backends2.0.12.1.02.2.02.2.12.2.22.2.32.2.42.2.52.2.62.3.02.3.12.4.02.4.12.5.02.5.12.6.02.7.02.7.12.7.22.8.02.8.12.8.22.8.32.8.42.9.02.9.12.10.02.11.02.11.12.11.22.11.32.11.42.12.02.12.12.12.22.12.32.12.42.12.52.12.62.12.72.12.82.12.92.12.102.12.132.12.142.12.152.12.162.12.172.12.182.12.192.12.202.12.212.12.222.12.232.12.242.12.252.12.262.12.272.12.282.12.292.12.302.12.312.12.322.12.332.12.342.12.352.12.36 - npm
autotel-cli0.1.00.4.00.4.10.4.20.5.00.6.00.7.00.7.10.8.00.8.10.8.20.8.30.8.40.8.60.8.70.8.80.8.90.8.100.8.110.8.120.8.130.8.140.8.150.9.00.9.10.10.00.11.0 - npm
autotel-drizzle0.0.10.0.20.0.30.0.40.0.50.0.60.0.70.0.80.0.90.0.100.0.110.0.140.0.150.0.160.0.170.0.180.0.190.0.200.0.210.0.220.0.230.0.240.0.250.0.260.0.270.0.280.0.290.0.300.0.310.0.320.0.330.0.340.0.350.0.360.0.37 - npm
autotel-eventcatalog1.0.01.0.12.0.02.0.13.0.03.0.14.0.04.0.14.0.25.0.05.0.15.0.26.0.07.0.08.0.09.0.010.0.011.0.0 - npm
autotel-hono0.1.00.1.10.1.20.2.00.3.00.3.10.3.20.3.30.3.40.4.00.4.10.4.20.4.30.4.40.4.50.4.60.4.70.4.80.4.90.4.100.4.130.4.140.4.150.4.160.4.170.4.180.4.190.4.200.4.210.4.220.4.230.4.240.4.250.4.260.4.270.4.280.4.290.4.300.4.310.4.320.4.330.4.340.4.350.4.36 - npm
autotel-mcp0.1.10.1.20.1.30.1.40.1.70.1.80.1.90.1.100.1.110.1.120.1.130.1.140.1.150.1.162.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.0.110.0.010.0.111.0.011.0.113.0.013.0.114.0.014.0.115.0.015.0.115.0.216.0.016.0.117.0.017.0.117.0.218.0.018.0.119.0.019.0.120.0.020.0.121.0.021.1.021.1.122.0.022.0.123.0.023.0.124.0.024.0.125.0.025.0.126.0.026.0.126.0.227.0.027.0.128.0.028.0.128.0.228.0.329.0.029.0.1 - npm
autotel-mcp-instrumentation29.0.029.0.129.0.230.0.030.0.330.0.430.0.531.0.031.0.132.0.032.0.133.0.033.0.133.0.234.0.034.0.134.0.235.0.036.0.037.0.038.0.039.0.040.0.0 - npm
autotel-mongoose0.0.10.0.20.0.31.0.01.0.11.0.22.0.02.0.32.0.42.0.53.0.03.0.14.0.04.0.15.0.05.0.15.0.26.0.06.0.16.0.27.0.08.0.08.1.09.0.010.0.010.1.010.1.111.0.012.0.0 - npm
autotel-pact0.2.00.2.10.2.21.0.01.0.11.0.21.0.31.0.42.0.03.0.04.0.05.0.06.0.07.0.07.0.17.0.2 - npm
autotel-playwright0.1.00.2.00.2.10.3.00.4.00.4.10.4.20.4.30.4.40.4.50.4.60.4.70.4.80.4.90.4.100.4.110.4.120.4.130.4.140.4.150.4.160.4.190.4.200.4.210.4.220.4.230.4.240.4.250.4.260.4.270.4.280.4.290.4.300.4.310.4.320.4.330.4.340.4.350.4.360.4.370.4.380.4.390.4.400.4.410.4.42 - npm
autotel-plugins0.4.00.5.00.6.00.6.10.6.20.6.30.6.40.6.50.6.60.7.00.7.10.8.00.8.10.9.00.9.10.10.00.11.00.11.10.11.20.12.00.12.10.13.00.14.00.14.10.15.00.15.10.16.00.17.00.18.00.18.10.18.20.18.30.19.00.19.10.19.20.19.30.19.40.19.50.19.60.19.70.19.80.19.90.19.100.19.130.19.140.19.150.19.160.19.170.19.180.19.190.19.200.19.210.19.220.19.230.19.240.19.250.19.260.19.270.19.280.19.290.19.300.19.310.19.320.19.330.19.340.19.350.19.36 - npm
autotel-sentry0.1.00.1.10.1.20.2.00.3.00.4.00.4.10.4.20.4.30.5.00.5.10.5.20.5.30.5.40.5.50.5.60.5.70.5.80.5.100.5.110.5.120.5.130.5.140.5.150.5.160.5.17 - npm
autotel-subscribers4.0.04.1.04.1.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.0.110.0.010.0.111.0.011.0.112.0.012.0.113.0.013.0.114.0.014.1.014.1.115.0.015.0.116.0.016.0.116.0.217.0.017.0.118.0.018.0.118.0.218.0.319.0.019.0.120.0.020.0.121.0.021.0.122.0.022.0.122.0.223.0.023.0.123.0.224.0.024.0.125.0.025.0.126.0.026.0.127.0.027.0.127.0.228.0.028.0.128.0.229.0.029.0.129.0.229.0.329.0.429.0.529.0.630.0.030.0.130.0.230.0.330.0.431.0.031.0.331.0.431.1.031.1.131.1.231.1.331.1.432.0.032.0.132.1.033.0.034.0.034.1.034.1.135.0.035.0.135.0.236.0.037.0.038.0.039.0.040.0.041.0.041.0.141.0.2 - npm
autotel-tanstack1.1.01.2.01.2.11.4.01.4.11.4.21.5.01.5.11.6.01.7.01.7.11.7.21.8.01.8.11.8.21.8.31.8.41.9.01.9.11.10.01.11.01.12.01.12.11.12.21.12.31.13.01.13.11.13.21.13.31.13.41.13.51.13.61.13.71.13.81.13.91.13.101.13.111.13.141.13.151.13.161.13.171.13.181.13.191.13.201.13.211.13.221.13.231.13.241.13.251.13.261.13.271.13.281.13.291.13.301.13.311.13.321.13.331.13.341.13.351.13.361.13.371.13.38 - npm
autotel-vitest0.1.00.2.00.3.00.3.10.3.20.3.30.3.40.3.50.4.00.4.10.4.20.4.30.4.40.4.50.4.60.4.70.4.80.4.90.4.100.4.130.4.140.4.150.4.160.4.170.4.180.4.190.4.200.4.210.4.220.4.230.4.240.4.250.4.260.4.270.4.280.4.290.4.300.4.310.4.320.4.330.4.340.4.350.4.36 - npm
autotel-web1.1.01.2.01.4.01.4.11.5.01.6.01.6.11.7.01.7.11.8.01.9.01.10.01.10.11.11.01.11.11.11.21.11.51.11.61.12.01.12.11.12.21.12.31.12.41.12.5 - npm
awaitly1.0.01.1.01.2.01.3.01.4.01.5.01.5.11.6.01.7.01.8.01.9.01.10.01.11.01.12.01.13.01.14.01.15.01.16.01.17.01.18.01.19.01.20.01.21.01.22.01.23.01.24.01.25.01.26.01.27.01.28.01.29.01.30.01.31.01.31.11.32.01.32.11.33.01.33.11.33.21.33.31.33.41.34.0 - npm
awaitly-analyze0.10.10.11.00.12.00.12.10.12.20.13.00.14.00.14.10.15.00.16.00.17.00.18.00.19.00.20.00.21.00.22.00.22.10.23.00.23.10.23.20.23.40.24.00.24.10.24.20.24.30.25.00.25.11.0.01.1.01.1.12.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.1 - npm
awaitly-libsql0.1.00.1.11.0.01.0.12.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.0.110.0.010.0.111.0.011.0.112.0.012.0.113.0.013.0.114.0.014.0.115.0.015.0.116.0.016.0.117.0.017.0.118.0.018.1.018.1.119.0.019.0.120.0.020.0.121.0.021.0.122.0.022.0.122.0.223.0.0 - npm
awaitly-mongo0.1.00.1.11.0.01.0.12.0.02.0.13.0.03.0.14.0.04.0.15.0.05.0.16.0.06.0.17.0.07.0.18.0.08.0.19.0.09.1.09.1.110.0.010.0.111.0.011.0.112.0.012.0.113.0.013.0.114.0.014.0.115.0.015.0.116.0.016.0.117.0.017.0.118.0.018.0.119.0.019.1.019.1.120.0.020.0.121.0.021.0.122.0.022.0.123.0.023.0.123.0.224.0.0
Impact
- The GHSA text on every advisory in this batch says "any computer that has this package installed or running should be considered fully compromised" — treat any host that ever installed one of these as breached and rotate credentials from a separate clean device
- Unlike a same-day typosquat push, these brands ran for 4–7 months (autotel-* since 2025-11-26, awaitly since 2026-01-16) collecting downloads before the advisory dropped — the exposure window is long and pre-yank installs may already have executed the payload
autotel-*masquerades as OpenTelemetry auto-instrumentation for popular stacks (TanStack, Vitest, Playwright, Sentry, Hono, Drizzle, Mongoose, MCP, Pact, EventCatalog); ops engineers wiring up traces are the natural victim profileawaitly-*masquerades as promise-timeout / async-flow utilities with database-flavour variants (-mongo,-libsql); the very highv22.0.0/v23.0.0majors were used to backstop dep-confusion resolution against any plausible internal SemVerai-sdk-ollamatyposquats the VercelaiSDK's official Ollama provider, targeting developers who Copilot-autocompleteimport { ollama } from "ai-sdk-ollama"instead of the real name
What to do
- 1Remove every
autotel-*,awaitly*, andai-sdk-ollamareference frompackage.json, lockfiles, CI image layers, and committednode_modules - 2For OpenTelemetry auto-instrumentation, use the official
@opentelemetry/auto-instrumentations-*scoped packages — never the flatautotel-*slugs - 3For async utilities, prefer built-in
Promise.withResolvers()/AbortSignal.timeout()(Node 20+) or well-known packages likep-timeout; theawaitly*naming space is entirely attacker-controlled - 4For Ollama with the Vercel AI SDK, use the official provider
ollama-ai-provider(or the framework's built-in provider) — the specific flat nameai-sdk-ollamais the malware slot - 5If you ever pinned any version of any listed package: treat the runtime and any artefact it produced as compromised, and audit your CI cache history and internal npm mirror for the specific tarball hashes
References
- GitHubGHSA-mhh3-45v6-6vmh — autotel-tanstack malware advisorygithub.com
- GitHubGHSA-7cv4-gfx4-2c3v — autotel-mcp-instrumentation malware advisorygithub.com
- GitHubGHSA-4vjc-qq25-pvc4 — autotel-mongoose malware advisorygithub.com
- GitHubGHSA-43fx-93g7-w27h — autotel-pact malware advisorygithub.com
- GitHubGHSA-fgj5-m9vh-ffjw — autotel-plugins malware advisorygithub.com
- GitHubGHSA-6pcg-qh3x-h5pg — autotel-playwright malware advisorygithub.com
- GitHubGHSA-rxgj-x3gg-2fg8 — autotel-sentry malware advisorygithub.com
- GitHubGHSA-37wr-f689-9c3c — autotel-subscribers malware advisorygithub.com
- GitHubGHSA-hhr2-ppwm-hgqr — autotel-drizzle malware advisorygithub.com
- GitHubGHSA-c2jx-wr8m-cv28 — autotel-hono malware advisorygithub.com
- GitHubGHSA-h58c-49hq-mq6c — autotel-eventcatalog malware advisorygithub.com
- GitHubGHSA-3wmg-66hp-xhv9 — autotel-mcp malware advisorygithub.com
- GitHubGHSA-3729-344x-9v28 — autotel-cli malware advisorygithub.com
- GitHubGHSA-9p9m-f2hg-9gxm — autotel-backends malware advisorygithub.com
- GitHubGHSA-c8c9-7f3h-7c76 — awaitly malware advisorygithub.com
- GitHubGHSA-4vpc-g7mx-4m5v — awaitly-mongo malware advisorygithub.com
- GitHubGHSA-hv34-4pjp-j28h — awaitly-analyze malware advisorygithub.com
- GitHubGHSA-j6m2-hp97-pv4j — awaitly-libsql malware advisorygithub.com
- GitHubGHSA-m9j7-x8ww-5jwr — ai-sdk-ollama malware advisorygithub.com