GitHub Advisory malware sweep — 20+ npm packages (chai-as-*, brock-*, rebrandly-*, dep-confusion + typosquat batch) taken down 2026-06-30
On 2026-06-30 GitHub's Advisory Database dropped a coordinated batch of ~25 CWE-506 Embedded Malicious Code advisories against unrelated npm packages published between 2026-05-27 and 2026-06-30. The batch mixes at least four distinct sub-clusters: chai-as-persisted / chai-as-assured (Chai typosquats), brock-loader / brock-react-alerts (with a 9999.0.0 dep-confusion tag), the rebrandly-domains-* pair (both 9999.0.0), and a wider fan-out of standalone malicious names.
- Detected by
- GitHub Advisory Database · npm Security
- Also known as
- 2026-06-30 GHSA npm sweep
- Ecosystems
- npm
- Packages tracked
- 18
What happened
Between 2026-06-30 14:08 UTC and 16:17 UTC, GitHub's Advisory Database published a batch of roughly 25 malware advisories against npm packages that had been sitting on the registry for hours to months. All records use CWE-506 (Embedded Malicious Code) with the standard "any computer that installed or ran this package should be considered fully compromised — rotate all secrets from a different device" boilerplate. No payload write-up is included in the GHSA text for any of them, so defenders should treat the install-time behaviour as unanalysed and assume worst case.
Sub-cluster taxonomy
- Chai typosquats.
chai-as-persistedandchai-as-assuredfusechai-as-promised(the go-to plugin for asserting on promises, ~5M weekly downloads) with plausible-sounding suffixes. Both packages ship two high-semver releases (4.2.8/6.1.9and6.0.4/7.1.2respectively), matching the "pretend to be a mature package" tactic used by the June 26pino-zod@1.0.121typosquat. - *`brock-
pair.**brock-loader@1.9.9andbrock-react-alerts@1.99.99/9999.0.0— the9999.0.0tag is the classic dependency-confusion resolution-winning SemVer used by the June 29 internal-scope batch (@deel-ui/animation,@citi-icg-171632/citicms-repo-component`). - *`rebrandly-domains-
pair.** Bothrebrandly-domains-search-client@9999.0.0andrebrandly-domains-digger@9999.0.0` — dependency-confusion squats against what looks like a Rebrandly-owned internal SDK scope for their URL-shortener / branded-domain product. - Confluent Kafka client typosquat.
confluent-kafka-javascript@0.0.1— the legitimate name is scoped:@confluentinc/kafka-javascript. Attackers routinely publish the unscoped variant of a well-known scoped package. - *`postcss-
typosquat.**postcss-property-rollup@0.0.1— extends the pattern already documented in the 2026-06-26 pump/pino/rollup sweep (rollup-plugin-polyfill-connect`) and the 2026-06-22 JFrog PostCSS-RAT campaign. terminal-prettierbrand. 20+ published versions dating back to 2025-11 — this is a long-running typosquat "brand" (ofprettier) rather than a same-day push. GHSA classifies the entire package as malware; any consumer that ever pinned any published version is in scope.ts-linting-builder@2.1.2+ts-lint-builders-v2.1@2.1.0. Paired typosquats againsttslint/ts-lint-plugin-*— thev2.1suffix in the name is an unusual pattern that suggests they were designed to match a specific pinned version string in a CI script or Dockerfile.- Standalone malicious names.
rs-biginteger(6.1.3, 6.1.5),quoting(0.1.0),procwire(1.3.0, 2.0.0),endpointmap(2.1.0, 3.0.0),agent-starter-pack@0.0.1,setup-cicd@0.0.1,nbmolviz-js@0.0.1— no obvious upstream target for these; likely low-volume standalone malware pushes that a security researcher flagged and reported together.
Overlap with existing DependencyWatch entries
livekit-agents(also in this GHSA batch) is already tracked in the 2026-06-27livekit-agents.xyzincident; this entry does not repeat those versions.chai-as-persistedis separately tracked in the 2026-06-27chai-as-persisted-jsonspackincident for the1.0.0first-drop; the June 30 GHSA covers newly-visible4.2.8/6.1.9releases under the same package name.
Attribution
GitHub does not attribute the batch, and no single security vendor has published a research post as of 2026-07-01. The mix of dependency-confusion 9999.0.0 tags, typosquat semver drift, and long-lived "brand" packages suggests the batch is a triage of several unrelated reports processed on the same day, not one coordinated operator.
Affected packages (18)
- npm
agent-starter-pack0.0.1 - npm
brock-loader1.9.9 - npm
brock-react-alerts1.99.999999.0.0 - npm
chai-as-assured6.0.47.1.2 - npm
chai-as-persisted4.2.86.1.9 - npm
confluent-kafka-javascript0.0.1 - npm
endpointmap2.1.03.0.0 - npm
nbmolviz-js0.0.1 - npm
postcss-property-rollup0.0.1 - npm
procwire1.3.02.0.0 - npm
quoting0.1.0 - npm
rebrandly-domains-digger9999.0.0 - npm
rebrandly-domains-search-client9999.0.0 - npm
rs-biginteger6.1.36.1.5 - npm
setup-cicd0.0.1 - npm
terminal-prettier1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.11.1.21.1.31.1.41.1.51.1.61.1.71.1.81.1.9 - npm
ts-lint-builders-v2.12.1.0 - npm
ts-linting-builder2.1.2
Impact
- Any host that installed any of the listed packages should be treated as fully compromised — every GHSA record uses the standard "rotate all secrets from a different computer" language
brock-react-alerts@9999.0.0and bothrebrandly-domains-search-client@9999.0.0/rebrandly-domains-digger@9999.0.0follow the internal-scope dependency-confusion playbook (matches the 2026-06-29 Deel/Webda/Citi cluster) — CI pipelines that resolve unscopedbrock-*orrebrandly-domains-*names against the public registry would have pulled the malicious tarball instead of a private mirror releasechai-as-persistedandchai-as-assuredtyposquat the widely-usedchai-as-promisedChai plugin (~5M weekly downloads); dual name-fuse (persisted,assured— both plausible chai-adjacent slugs) suggests one operator hedging autocomplete driftconfluent-kafka-javascript@0.0.1typosquats Confluent's official@confluentinc/kafka-javascriptclient (dropped scope prefix) — targets Kafka producer / consumer environments where the maintainer might paste an unscoped name intopackage.jsonpostcss-property-rollup@0.0.1extends the ongoingpostcss-*typosquat wave (see the 2026-06-22 JFrog PostCSS-RAT and 2026-06-26 pump/pino/rollup sweep)terminal-prettiershipped 20+ versions over several months, indicating a matured typosquat brand of theprettiercode formatter rather than a one-off push
What to do
- 1Remove every reference to any package listed in the packages map below from
package.json, lockfiles, CI image layers, and committednode_modules - 2If your build ever resolved
9999.0.0ofbrock-react-alerts,rebrandly-domains-search-client, orrebrandly-domains-diggeragainst the public registry: treat the build runner and any artefact it produced as compromised — rotate every credential reachable from that runner from a separate clean device - 3Kafka pipelines: reinstall with the correct scoped name
@confluentinc/kafka-javascript; the flat nameconfluent-kafka-javascriptis the malware slot - 4Postcss users: audit for
postcss-property-rollupin lockfiles; the legitimate slug is eitherpostcss(core) or a specific first-party plugin under thepostcss-*scope - 5Rebrandly users: internal builds should route the
rebrandly-*scope to your private mirror only — the public-registry names are now unpublished but the campaign pattern continues - 6Verify none of the listed packages resolves via your private mirror — many internal Artifactory / Nexus / Verdaccio instances cache npm tarballs and will continue to serve the malicious version after the public yank
References
- GitHubGitHub Advisory Database — recent npm malware advisoriesgithub.com
- GitHubGHSA-xm5w-w96q-42f3 — rs-biginteger malware advisorygithub.com
- GitHubGHSA-x8q6-66jr-wmp3 — quoting malware advisorygithub.com
- GitHubGHSA-4wm6-vmww-2544 — chai-as-persisted malware advisorygithub.com
- GitHubGHSA-m282-3m8c-qjwj — chai-as-assured malware advisorygithub.com
- GitHubGHSA-gh2m-x2qr-m2cm — brock-react-alerts malware advisorygithub.com
- GitHubGHSA-gwv3-x257-r43c — brock-loader malware advisorygithub.com
- GitHubGHSA-6q7q-73w8-xvcf — rebrandly-domains-search-client malware advisorygithub.com
- GitHubGHSA-44wx-4683-p2h3 — rebrandly-domains-digger malware advisorygithub.com
- GitHubGHSA-x676-qqgj-qfgg — agent-starter-pack malware advisorygithub.com
- GitHubGHSA-5rc3-r829-w347 — setup-cicd malware advisorygithub.com
- GitHubGHSA-fc4r-p4fh-6h4p — nbmolviz-js malware advisorygithub.com
- GitHubGHSA-6g2x-2f5c-wp9w — postcss-property-rollup malware advisorygithub.com
- GitHubGHSA-j28m-58xp-3wgh — confluent-kafka-javascript malware advisorygithub.com
- GitHubGHSA-8mpj-272v-jhv7 — ts-linting-builder malware advisorygithub.com
- GitHubGHSA-vjgf-xg3j-g9c5 — ts-lint-builders-v2.1 malware advisorygithub.com
- GitHubGHSA-m8cr-hv9p-pg3f — terminal-prettier malware advisorygithub.com
- GitHubGHSA-5r42-357x-f2mx — procwire malware advisorygithub.com
- GitHubGHSA-p3qr-5g48-8w89 — endpointmap malware advisorygithub.com