Feed
HighPublished 7 Jul 2026Updated 8 Jul 202662 packages · 212 versions

GitHub Advisory malware sweep — ~65 npm packages (AI-SDK typosquat cluster, Solana base58/wallet drainers, SQLite scoped fakes, Nuxt/Chai continuation) taken down 2026-07-07 / 2026-07-08

Summary

On 2026-07-07 GitHub's Advisory Database retired ~65 CWE-506 Embedded Malicious Code npm advisories (plus a small 2-package 2026-07-08 tail), the second-largest single-day 2026 GHSA npm-malware sweep after 2026-07-06. Distinct clusters: an AI-SDK typosquat family (openai-agents-helpers, ollama-helpers, anthropic-toolkit, @langgraphjs/toolkit, ai-sdk-helpers, mcp-server-pg), Solana base58 wallet-drainer names, @sqlite-list/* / @sqlite-access/* throwaway scopes, Nuxt/Chai continuations, plus the whs4_* sextet.

typosquatcredential-theftcrypto-wallet-draindependency-confusion
Detected by
GitHub Advisory Database · npm Security
Also known as
2026-07-07 GHSA npm sweep · 2026-07-08 GHSA npm sweep
Ecosystems
npm
Packages tracked
62

What happened

Between 2026-07-07 and 2026-07-08 GitHub's Advisory Database published ~65 CWE-506 (Embedded Malicious Code) advisories against npm packages, running to about the same size as the 2026-07-06 sweep. Every record uses the standard "any computer that has this package installed or running should be considered fully compromised — rotate all secrets from a different computer" boilerplate. No payload write-ups accompany the GHSA texts, so defenders should treat install-time behavior as unanalyzed and assume worst case for any host that resolved these names.

Cluster 1 — AI SDK typosquats (6 packages, campaign highlight)

openai-agents-helpers, ollama-helpers, anthropic-toolkit, @langgraphjs/toolkit, ai-sdk-helpers, mcp-server-pg. All six carry the exact same tell: a version-camouflage history burst (20+ throwaway versions rapidly published over a few minutes in June to look like a mature library) followed by a fresh malicious 1.x.x publish at 2026-07-07 13:22 UTC — every one in the same 3-minute window. Example: ai-sdk-helpers published 22 versions on 2026-06-03 20:31 UTC (all 4-second intervals — a bulk-publish script), then bumped 1.4.41.4.5 on 2026-07-07 13:22:25. The pattern targets latest-tag pulls and ^-range resolvers: any repo pinned to the previous version tag would upgrade to the poisoned tag on the next npm install. The legitimate SDK slugs those names impersonate: openai (OpenAI SDK), ollama, @anthropic-ai/sdk, @langchain/langgraph, ai (Vercel AI SDK), @modelcontextprotocol/server-postgres.

Cluster 2 — Solana base58 wallet-drainer (5 packages)

base58-core@1.0.01.0.12 (12 versions, 2026-06-24 → 2026-07-05), base58-cli@1.0.01.0.5, crypto-base58@1.0.01.0.4, typescript-base58@1.0.0, solana-address-codec@1.0.01.0.5. All hit 1.0.x version ranges typical of a fresh crypto-helper package. Six weeks of live time on the "helper for Solana address encoding" naming space — anyone who searched npm for base58 and picked a helper-flavored slug (rather than the canonical bs58) is at risk. solana-address-codec in particular is a plausible drop-in for developers used to the Solana Kit ecosystem's @solana/addresses scoped package.

Cluster 3 — @sqlite-list/* / @sqlite-access/* scoped throwaways (4 packages)

@sqlite-list/schema-generator, @sqlite-list/createsql, @sqlite-list/sql-creator, @sqlite-access/nodesql. Direct continuation of the 2026-07-03 GHSA sweep's @sql-access/nodesql / @sqlite-node/createsql / @sql-trigger/nodesql cluster — same throwaway-scope model where each namespace holds exactly one malware slot. All four published between 2026-07-03 19:04 UTC and 19:40 UTC — one 36-minute burst. The operator behind the July 3 SQL-scoped cluster is still active.

Cluster 4 — Nuxt / dependency-confusion (7 packages, 99.0.x)

nuxt-fonts-devtools@99.0.3, load-nuxt@99.0.3, load-nuxt-dev@99.0.3, some-theme@99.0.3, nonexistent-package@99.0.3, hook-augmenting-module@99.0.3 (all 2026-07-03 04:33–04:44 UTC — 11-minute burst) and gen-ai-opt-in@99.0.099.0.2 (2026-07-05). The shared 99.0.x version-number is the giveaway: an intentionally-high version to win a dependency-confusion race against an internal package of the same name. This is a canonical Alex Birsan-style dependency-confusion attack — one operator, one build script, six near-simultaneous publishes targeting names that plausibly appear in a private Nuxt/Vue registry namespace at a target org.

Cluster 5 — Chai / Express / Tailwind continuations

  • Chai: chai-sdk@1.4.7/1.4.8, chai-spycore@1.1.0/1.5.3, chai-chain-dom@1.3.71.3.9. Continues the chai-as-* matcher-squat cluster from 2026-07-06.
  • Express: express-firegate@1.3.51.6.9 (12 versions running back to 2026-05-12), express-deflect@1.3.11.6.12 (running back to 2026-05-12, then a 2026-07-06 top-up publish at 1.6.10/1.6.12). Fake middleware slugs — the legitimate Express security middleware ecosystem is helmet, express-rate-limit, csurf.
  • Tailwind: tailwind-animator-scroll@1.7.0 (2026-06-11), tailwindcss-effector@1.7.0 (2026-06-22). Continues the Tailwind theme from 2026-07-02.

Cluster 6 — whs4_* sextet (single-operator burst, 2026-07-05)

@whs4/whs4_npm, whs4_npm, whs4_pnm, whs4_nmp, wsh4-nmp, wsh4_npm, whs4_npm_test. All published between 15:03 and 15:38 UTC on 2026-07-05 — 35 minutes for one operator to grab every near-miss variant of the target slug (whs4_npm). This is either a CTF/testing account or a naming-space grab attempt. Whatever the intent, GHSA classified every one as CWE-506 embedded malicious code.

Cluster 7 — Miscellaneous (~30 packages)

The remainder is the usual long tail of individual typosquats and throwaway names: evm-typechain@0.5.4 (Ethereum tooling squat — the canonical slug is typechain), polytrade@2.4.1 (Polymarket-adjacent), hello244a (45 versions of a single-file publish burst), nodemon-node@3.1.16 and ts-await@3.1.8 (published 2026-07-07 19:49/19:51 UTC, both retired 2026-07-08 — a 24-hour turnaround GHSA sweep), runtimedev-link (13 versions), zredis-typed, zod-pino434/zod-pino444, pinokio-redis (Pino/Redis/Zod naming space), warp-dependency, sypoi1, syco1, polytrade, debugcli, tx-guard-snap, jsf-utils, notifier-utils, hello244a, rnx-align-deps, annotator-harvardx, shopify-internel (typosquat of @shopify/*), harmony-enablers-test-2026, @43uh3ig43/telemetry-client, brunomenozzi-test-pkg, @apexcraft/nano-key, @engagehub/test-claim, @engagehub/core, @aspect-security/argon2 (argon2 typosquat — dangerous given argon2 is a password-hashing lib).

Contrast with recent sweeps

| Date | Packages | Notes | |---|---|---| | 2026-06-30 | 5 | Small sweep | | 2026-07-02 | 9 | Tailwind + db-* cluster | | 2026-07-03 | 14 | TypeScript/API family + @sql-* scopes | | 2026-07-06 | ~155 | Largest 2026 sweep | | 2026-07-07 | ~65 | *AI-SDK typosquats + Solana base58 + `@sqlite-` continuation** |

Combined July 1–8 npm-malware retirement count: ~250 packages across 6 GHSA sweeps — a step-change in the platform's take-down cadence.

Registry state

Every package now resolves to a 0.0.1-security holding tarball owned by npm Security. Historical version tarballs may remain fetchable from the CDN as of 2026-07-08 and should be treated as live malware in any lockfile hit — the CDN retention window for withdrawn npm versions typically runs 24–72 hours after the security replacement lands.

Affected packages (62)

  • npm@43uh3ig43/telemetry-client
    99.0.1
  • npm@apexcraft/nano-key
    1.2.41.2.51.3.21.3.3
  • npm@aspect-security/argon2
    1.0.01.0.1
  • npm@engagehub/core
    99.0.0
  • npm@engagehub/test-claim
    1.0.0
  • npm@langgraphjs/toolkit
    1.2.13
  • npm@sqlite-access/nodesql
    1.0.2
  • npm@sqlite-list/createsql
    1.0.0
  • npm@sqlite-list/schema-generator
    1.0.2
  • npm@sqlite-list/sql-creator
    1.0.61.0.7
  • npmai-sdk-helpers
    1.4.5
  • npmannotator-harvardx
    9.0.2
  • npmanthropic-toolkit
    1.3.1
  • npmbase58-cli
    1.0.01.0.11.0.21.0.31.0.41.0.5
  • npmbase58-core
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.101.0.111.0.12
  • npmbrunomenozzi-test-pkg
    1.0.0
  • npmchai-chain-dom
    1.3.71.3.81.3.9
  • npmchai-sdk
    1.4.71.4.8
  • npmchai-spycore
    1.1.01.5.3
  • npmcrypto-base58
    1.0.01.0.11.0.21.0.31.0.4
  • npmdebugcli
    4.3.44.3.54.3.64.3.74.3.84.3.94.4.1
  • npmevm-typechain
    0.5.4
  • npmexpress-deflect
    1.3.11.6.91.6.101.6.12
  • npmexpress-firegate
    1.3.51.4.01.4.51.4.61.5.11.5.51.6.11.6.31.6.51.6.71.6.81.6.9
  • npmgen-ai-opt-in
    99.0.099.0.199.0.2
  • npmharmony-enablers-test-2026
    1.0.0
  • npmhello244a
    1.0.01.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.0.101.0.111.0.121.0.131.0.141.0.151.0.161.0.171.0.181.0.191.0.201.0.211.0.221.0.231.0.241.0.251.0.261.0.271.0.281.0.291.0.301.0.311.0.321.0.331.0.341.0.351.0.361.0.371.0.381.0.391.0.401.0.411.0.421.0.431.0.441.0.45
  • npmhook-augmenting-module
    99.0.3
  • npmjsf-utils
    0.3.11.3.1
  • npmload-nuxt
    99.0.3
  • npmload-nuxt-dev
    99.0.3
  • npmmcp-server-pg
    0.1.00.1.10.1.20.1.30.2.00.2.10.3.00.3.10.4.00.5.00.6.00.7.00.8.00.9.01.0.01.0.11.1.01.1.11.2.01.2.11.2.2
  • npmnodemon-node
    3.1.16
  • npmnonexistent-package
    99.0.3
  • npmnotifier-utils
    1.3.71.3.81.3.91.4.0
  • npmnuxt-fonts-devtools
    99.0.3
  • npmollama-helpers
    1.2.3
  • npmopenai-agents-helpers
    1.3.3
  • npmpinokio-redis
    1.0.127
  • npmpolytrade
    2.4.1
  • npmrnx-align-deps
    99.0.7
  • npmruntimedev-link
    1.0.01.0.11.0.21.0.31.0.51.0.61.0.81.0.91.0.101.0.111.0.121.0.131.0.14
  • npmshopify-internel
    99.0.1
  • npmsolana-address-codec
    1.0.01.0.11.0.21.0.31.0.41.0.5
  • npmsome-theme
    99.0.3
  • npmsyco1
    1.0.31.0.41.0.5
  • npmsypoi1
    1.0.01.0.11.0.2
  • npmtailwind-animator-scroll
    1.7.0
  • npmtailwindcss-effector
    1.7.0
  • npmts-await
    3.1.8
  • npmtx-guard-snap
    1.0.0
  • npmtypescript-base58
    1.0.0
  • npmwarp-dependency
    1.0.01.0.1
  • npmwhs4_nmp
    1.0.01.0.1
  • npmwhs4_npm
    1.0.0
  • npmwhs4_npm_test
    1.0.01.0.11.0.21.0.3
  • npmwhs4_pnm
    1.0.0
  • npmwsh4_npm
    1.0.0
  • npmwsh4-nmp
    1.0.0
  • npmzod-pino434
    1.0.1271.0.128
  • npmzod-pino444
    1.0.1281.0.1291.0.1301.0.131
  • npmzredis-typed
    1.0.127

Impact

  • Any host that installed any of the ~65 packages listed below should be treated as fully compromised — every GHSA record uses the boilerplate CWE-506 "rotate all secrets from a different computer" language, and no patched version exists for any of them
  • The AI-SDK typosquat cluster (openai-agents-helpers, ollama-helpers, anthropic-toolkit, @langgraphjs/toolkit, ai-sdk-helpers, mcp-server-pg) targets developers pasting AI SDK setup snippets. All six landed on their latest tag with a fresh 1.x.x publish at 2026-07-07 13:22 UTC — same 3-minute window, five of the six had accumulated 20+ prior versions in a version-history-camouflage burst on 2026-06-23 to 2026-06-29 to look legitimate before the malicious tag landed
  • The Solana base58 wallet-drainer cluster (base58-core, base58-cli, crypto-base58, typescript-base58, solana-address-codec) has 30+ combined versions dating back to 2026-06-24 — six weeks of live time on a "helper for Solana address encoding" naming space. If anyone on a build host also holds a Solana wallet key, the exposure window is up to six weeks
  • The @sqlite-list/* (schema-generator, createsql, sql-creator) and @sqlite-access/nodesql cluster continues the 2026-07-03 GHSA sweep's @sql-access/nodesql / @sqlite-node/createsql pattern — same throwaway-scope model, same "one malware slot per personal namespace" operator behavior, still active four days after the last take-down
  • The whs4_* cluster (7 near-identical typosquats — whs4_npm, whs4_pnm, whs4_nmp, wsh4-nmp, wsh4_npm, whs4_npm_test, @whs4/whs4_npm) all published in a 30-minute window on 2026-07-05 15:03–15:38 UTC. Signature of a single operator or CTF/testing account grabbing every near-miss slug before publishing the final target
  • Continuation packages from earlier July sweeps: chai-spycore, chai-sdk, chai-chain-dom (Chai matcher squats, extending the 2026-07-06 chai-as-* cluster); tailwind-animator-scroll, tailwindcss-effector (Tailwind theme, extending 2026-07-02 / 2026-07-06); express-firegate, express-deflect (Express middleware fakes, running since 2026-05-12)
  • The Nuxt cluster (nuxt-fonts-devtools, load-nuxt, load-nuxt-dev, some-theme, nonexistent-package, hook-augmenting-module, gen-ai-opt-in) all shipped identical 99.0.x version numbers — the 99.0.3 collision across five names indicates one publisher, one build script, and a plausible dependency-confusion attempt targeting an internal Nuxt module namespace
  • Very-long-tail live-time slugs: openai-agents-helpers / ollama-helpers (22+ prior burst versions), anthropic-toolkit (20+ burst versions), ai-sdk-helpers (24+ burst versions), @apexcraft/nano-key (4 versions across 10 days in June). Anyone using a version-range resolver (^1.0.0, latest) that pulled the final poisoned tag would have installed malware on the first npm install after 2026-07-07 13:22 UTC

What to do

  1. 1Grep every lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml) for each name in the packages map below — ~65 names is too many to eyeball. Any match is a supply-chain incident: rotate every credential the build runner could reach and re-image the build host
  2. 2If you resolved any of openai-agents-helpers, ollama-helpers, anthropic-toolkit, @langgraphjs/toolkit, ai-sdk-helpers, or mcp-server-pg: these are not legitimate SDKs. The canonical AI-SDK slugs are openai, ollama, @anthropic-ai/sdk, @langchain/langgraph, ai (Vercel), and @modelcontextprotocol/* scoped packages. Anyone who typed a plausible-sounding "helper" or "toolkit" variant grabbed malware — rotate every AI provider API key that touched the affected host
  3. 3If your build ever resolved a base58-*, crypto-base58, typescript-base58, or solana-address-codec name: treat as a Solana wallet compromise. Any wallet key, seed phrase, or exchange API key on the machine should be moved. The legitimate slugs are bs58 and @solana/web3.js
  4. 4If your build resolved any @sqlite-list/* or @sqlite-access/* name: the mainstream slugs are better-sqlite3, sqlite3, or @libsql/*. There is no legitimate @sqlite-list or @sqlite-access publisher scope on npm
  5. 5For the Nuxt cluster (nuxt-fonts-devtools, load-nuxt, load-nuxt-dev, some-theme, nonexistent-package, hook-augmenting-module, gen-ai-opt-in) — the tell is the shared 99.0.3 version pin. If you see any dep resolve to 99.0.x on an unfamiliar Nuxt-adjacent package, treat as dependency-confusion malware and check whether any internal package of the same name should have won the resolution
  6. 6Verify none of the ~65 listed packages still resolves via your private mirror — internal Artifactory / Nexus / Verdaccio instances routinely cache tarballs and will keep serving the malicious versions after the public yank
  7. 7Add the @sqlite-list, @sqlite-access, @engagehub, @43uh3ig43, and the AI-SDK "helpers/toolkit/kit" suffix pattern to a review gate on any package addition — the malware operators have been farming these exact naming spaces across three consecutive weeks

References

npm-2026-07-07-ghsa-malware-sweep