Still active worm malware on npmjs.com

[klassiker]

Select Topic Area

Product Feedback

Body

After looking at some of the affected packages in the Shai-Hulud attack, there are still infected versions available to download as the latest version as of now.

After reporting some of them manually and asking about the published IOCs, only specific packages were taken down.

There does not seem to be any effort to remove known malware from the registry.

This is a package pushed 2025-09-15T10:09:38.765Z:

npm pack @basic-ui-components-stc/basic-ui-components
> basic-ui-components-stc-basic-ui-components-1.0.5.tgz
tar xf basic-ui-components-stc-basic-ui-components-1.0.5.tgz
sha256sum package/bundle.js
> dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c

This IOC is known for over 3 days now and I can still download it.

This old blog article about not fixing the package install scripts vulnerability contains some interesting sections regarding worms: https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability

npm monitors publish frequency. A spreading worm would set off alarms within npm, and if a spreading worm were identified we could halt all publishing while infected packages were identified and taken down.

Is this still the case?

npm is working with security vendors to introduce enhanced security vulnerability scanning and mitigation services. This work is underway but not yet ready.

I know that the blog is from 2016(!), but when will packages be scanned for malware before being released to the public?

[jdegand]

I have gotten in the habit of searching packages on socket.dev before installing. I also think containers and GitHub Codespaces / Stackblitz (etc) are important to use. But basically, the responsibility is on you.

[klassiker]

It shouldn't be. Not for me personally, but for every newcomer.