Feed
HighPublished 30 Jun 202618 packages · 43 versions

GitHub Advisory malware sweep — 20+ npm packages (chai-as-*, brock-*, rebrandly-*, dep-confusion + typosquat batch) taken down 2026-06-30

Summary

On 2026-06-30 GitHub's Advisory Database dropped a coordinated batch of ~25 CWE-506 Embedded Malicious Code advisories against unrelated npm packages published between 2026-05-27 and 2026-06-30. The batch mixes at least four distinct sub-clusters: chai-as-persisted / chai-as-assured (Chai typosquats), brock-loader / brock-react-alerts (with a 9999.0.0 dep-confusion tag), the rebrandly-domains-* pair (both 9999.0.0), and a wider fan-out of standalone malicious names.

typosquatdependency-confusioncredential-theft
Detected by
GitHub Advisory Database · npm Security
Also known as
2026-06-30 GHSA npm sweep
Ecosystems
npm
Packages tracked
18

What happened

Between 2026-06-30 14:08 UTC and 16:17 UTC, GitHub's Advisory Database published a batch of roughly 25 malware advisories against npm packages that had been sitting on the registry for hours to months. All records use CWE-506 (Embedded Malicious Code) with the standard "any computer that installed or ran this package should be considered fully compromised — rotate all secrets from a different device" boilerplate. No payload write-up is included in the GHSA text for any of them, so defenders should treat the install-time behaviour as unanalysed and assume worst case.

Sub-cluster taxonomy

  • Chai typosquats. chai-as-persisted and chai-as-assured fuse chai-as-promised (the go-to plugin for asserting on promises, ~5M weekly downloads) with plausible-sounding suffixes. Both packages ship two high-semver releases (4.2.8 / 6.1.9 and 6.0.4 / 7.1.2 respectively), matching the "pretend to be a mature package" tactic used by the June 26 pino-zod@1.0.121 typosquat.
  • *`brock- pair.** brock-loader@1.9.9 and brock-react-alerts@1.99.99 / 9999.0.0 — the 9999.0.0 tag is the classic dependency-confusion resolution-winning SemVer used by the June 29 internal-scope batch (@deel-ui/animation, @citi-icg-171632/citicms-repo-component`).
  • *`rebrandly-domains- pair.** Both rebrandly-domains-search-client@9999.0.0 and rebrandly-domains-digger@9999.0.0` — dependency-confusion squats against what looks like a Rebrandly-owned internal SDK scope for their URL-shortener / branded-domain product.
  • Confluent Kafka client typosquat. confluent-kafka-javascript@0.0.1 — the legitimate name is scoped: @confluentinc/kafka-javascript. Attackers routinely publish the unscoped variant of a well-known scoped package.
  • *`postcss- typosquat.** postcss-property-rollup@0.0.1 — extends the pattern already documented in the 2026-06-26 pump/pino/rollup sweep (rollup-plugin-polyfill-connect`) and the 2026-06-22 JFrog PostCSS-RAT campaign.
  • terminal-prettier brand. 20+ published versions dating back to 2025-11 — this is a long-running typosquat "brand" (of prettier) rather than a same-day push. GHSA classifies the entire package as malware; any consumer that ever pinned any published version is in scope.
  • ts-linting-builder@2.1.2 + ts-lint-builders-v2.1@2.1.0. Paired typosquats against tslint / ts-lint-plugin-* — the v2.1 suffix in the name is an unusual pattern that suggests they were designed to match a specific pinned version string in a CI script or Dockerfile.
  • Standalone malicious names. rs-biginteger (6.1.3, 6.1.5), quoting (0.1.0), procwire (1.3.0, 2.0.0), endpointmap (2.1.0, 3.0.0), agent-starter-pack@0.0.1, setup-cicd@0.0.1, nbmolviz-js@0.0.1 — no obvious upstream target for these; likely low-volume standalone malware pushes that a security researcher flagged and reported together.

Overlap with existing DependencyWatch entries

  • livekit-agents (also in this GHSA batch) is already tracked in the 2026-06-27 livekit-agents.xyz incident; this entry does not repeat those versions.
  • chai-as-persisted is separately tracked in the 2026-06-27 chai-as-persisted-jsonspack incident for the 1.0.0 first-drop; the June 30 GHSA covers newly-visible 4.2.8 / 6.1.9 releases under the same package name.

Attribution

GitHub does not attribute the batch, and no single security vendor has published a research post as of 2026-07-01. The mix of dependency-confusion 9999.0.0 tags, typosquat semver drift, and long-lived "brand" packages suggests the batch is a triage of several unrelated reports processed on the same day, not one coordinated operator.

Affected packages (18)

  • npmagent-starter-pack
    0.0.1
  • npmbrock-loader
    1.9.9
  • npmbrock-react-alerts
    1.99.999999.0.0
  • npmchai-as-assured
    6.0.47.1.2
  • npmchai-as-persisted
    4.2.86.1.9
  • npmconfluent-kafka-javascript
    0.0.1
  • npmendpointmap
    2.1.03.0.0
  • npmnbmolviz-js
    0.0.1
  • npmpostcss-property-rollup
    0.0.1
  • npmprocwire
    1.3.02.0.0
  • npmquoting
    0.1.0
  • npmrebrandly-domains-digger
    9999.0.0
  • npmrebrandly-domains-search-client
    9999.0.0
  • npmrs-biginteger
    6.1.36.1.5
  • npmsetup-cicd
    0.0.1
  • npmterminal-prettier
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.11.1.21.1.31.1.41.1.51.1.61.1.71.1.81.1.9
  • npmts-lint-builders-v2.1
    2.1.0
  • npmts-linting-builder
    2.1.2

Impact

  • Any host that installed any of the listed packages should be treated as fully compromised — every GHSA record uses the standard "rotate all secrets from a different computer" language
  • brock-react-alerts@9999.0.0 and both rebrandly-domains-search-client@9999.0.0 / rebrandly-domains-digger@9999.0.0 follow the internal-scope dependency-confusion playbook (matches the 2026-06-29 Deel/Webda/Citi cluster) — CI pipelines that resolve unscoped brock-* or rebrandly-domains-* names against the public registry would have pulled the malicious tarball instead of a private mirror release
  • chai-as-persisted and chai-as-assured typosquat the widely-used chai-as-promised Chai plugin (~5M weekly downloads); dual name-fuse (persisted, assured — both plausible chai-adjacent slugs) suggests one operator hedging autocomplete drift
  • confluent-kafka-javascript@0.0.1 typosquats Confluent's official @confluentinc/kafka-javascript client (dropped scope prefix) — targets Kafka producer / consumer environments where the maintainer might paste an unscoped name into package.json
  • postcss-property-rollup@0.0.1 extends the ongoing postcss-* typosquat wave (see the 2026-06-22 JFrog PostCSS-RAT and 2026-06-26 pump/pino/rollup sweep)
  • terminal-prettier shipped 20+ versions over several months, indicating a matured typosquat brand of the prettier code formatter rather than a one-off push

What to do

  1. 1Remove every reference to any package listed in the packages map below from package.json, lockfiles, CI image layers, and committed node_modules
  2. 2If your build ever resolved 9999.0.0 of brock-react-alerts, rebrandly-domains-search-client, or rebrandly-domains-digger against the public registry: treat the build runner and any artefact it produced as compromised — rotate every credential reachable from that runner from a separate clean device
  3. 3Kafka pipelines: reinstall with the correct scoped name @confluentinc/kafka-javascript; the flat name confluent-kafka-javascript is the malware slot
  4. 4Postcss users: audit for postcss-property-rollup in lockfiles; the legitimate slug is either postcss (core) or a specific first-party plugin under the postcss-* scope
  5. 5Rebrandly users: internal builds should route the rebrandly-* scope to your private mirror only — the public-registry names are now unpublished but the campaign pattern continues
  6. 6Verify none of the listed packages resolves via your private mirror — many internal Artifactory / Nexus / Verdaccio instances cache npm tarballs and will continue to serve the malicious version after the public yank

References

npm-2026-06-30-ghsa-malware-sweep