Return of the “Shai-Hulud” Worm

Veracode is aware of and responding to on ongoing spam campaign that appears to be a reemergence of the “Shai-Hulud” worm we recently reported on. This time the malicious file is bun_environment.js. Our team are busy working on identifying and blocking this malware as it emerges. So far several NPM accounts appear to have been compromised e.g. @asyncapi and @posthog to name a few.

Veracode Customers Remain Protected

Veracode customers using Package Firewall are shielded from these threats, with the Package Firewall preventing both server- and browser-targeted malware from reaching the SDLC. Customers can also use Software Composition Analysis (SCA) to detect the usage of these malicious packages.

Veracode’s Supply Chain offerings are designed to protect our customers from these types of attacks with:

Proactive Threat Monitoring: The Veracode Threat Research Team continuously tracks open-source activity. Automated detection and expert analysis quickly identify anomalous publishing behavior, code obfuscation, and indicators of malware.

Immediate Blocking: Once a package is confirmed to be malicious, it is programmatically blocklisted. Veracode Package Firewall prevents vulnerable or compromised packages including those from the chalk, debug, and DuckDB campaigns from being installed in customer environments.

Policy Enforcement: Customers maintain strict controls over allowable packages. Policies enforced by Veracode automatically block introductions of newly compromised packages and prevent execution of malicious scripts.

Expert Guidance: The team continuously issues updates and actionable recommendations to help organizations respond quickly and confidently when new supply chain threats emerge.

NPM Attacks Conclusion: Stay Ahead of Advanced Threats

These recent npm attacks are a wakeup call: supply chain risks are increasing in scale and complexity. Attackers now target not only servers, but also browsers and end users, through high-trust dependencies. Standard reactive security is no longer sufficient.

Veracode empowers you to adopt a proactive, defense-ready stance, protecting your developers, your users, and your business from the next wave of sophisticated supply chain attacks.

Reach out to learn more.

All Known Affected Packages

Here is a list we will update containing the packages known to be affected by this malware as of November 24, 2025 (and it will continue to be updated moving forward):

02-echo@0.0.7

@accordproject/concerto-analysis@3.24.1

@accordproject/concerto-linter-default-ruleset@3.24.1

@accordproject/concerto-linter@3.24.1

@accordproject/concerto-metamodel@3.12.5

@accordproject/concerto-types@3.24.1

@accordproject/markdown-it-cicero@0.16.26

@accordproject/template-engine@2.7.2

@actbase/css-to-react-native-transform@1.0.3

@actbase/native@0.1.32

@actbase/node-server@1.1.19

@actbase/react-absolute@0.8.3

@actbase/react-daum-postcode@1.0.5

@actbase/react-kakaosdk@0.9.27

@actbase/react-native-actionsheet@1.0.3

@actbase/react-native-devtools@0.1.3

@actbase/react-native-fast-image@8.5.13

@actbase/react-native-kakao-channel@1.0.2

@actbase/react-native-kakao-navi@2.0.4

@actbase/react-native-less-transformer@1.0.6

@actbase/react-native-naver-login@1.0.1

@actbase/react-native-simple-video@1.0.13

@actbase/react-native-tiktok@1.1.3

@afetcan/api@0.0.13

@afetcan/storage@0.0.27

@alaan/s2s-auth@2.0.3

@alexadark/amadeus-api@1.0.4

@alexadark/gatsby-theme-events@1.0.1

@alexadark/gatsby-theme-wordpress-blog@2.0.1

@alexadark/reusable-functions@1.5.1

@alexcolls/nuxt-socket.io@0.0.7

@alexcolls/nuxt-socket.io@0.0.8

@alexcolls/nuxt-ux@0.6.1

@alexcolls/nuxt-ux@0.6.2

@antstackio/eslint-config-antstack@0.0.3

@antstackio/express-graphql-proxy@0.2.8

@antstackio/graphql-body-parser@0.1.1

@antstackio/json-to-graphql@1.0.3

@antstackio/shelbysam@1.1.7

@aryanhussain/my-angular-lib@0.0.23

@asyncapi/avro-schema-parser@3.0.25

@asyncapi/bundler@0.6.5

@asyncapi/bundler@0.6.6

@asyncapi/cli@4.1.2

@asyncapi/cli@4.1.3

@asyncapi/converter@1.6.3

@asyncapi/converter@1.6.4

@asyncapi/diff@0.5.1

@asyncapi/diff@0.5.2

@asyncapi/dotnet-rabbitmq-template@1.0.1

@asyncapi/dotnet-rabbitmq-template@1.0.2

@asyncapi/edavisualiser@1.2.1

@asyncapi/edavisualiser@1.2.2

@asyncapi/generator-components@0.3.2

@asyncapi/generator-components@0.3.3

@asyncapi/generator-helpers@0.2.1

@asyncapi/generator-helpers@0.2.2

@asyncapi/generator-react-sdk@1.1.4

@asyncapi/generator-react-sdk@1.1.5

@asyncapi/generator@2.8.5

@asyncapi/generator@2.8.6

@asyncapi/go-watermill-template@0.2.76

@asyncapi/go-watermill-template@0.2.77

@asyncapi/html-template@3.3.2

@asyncapi/html-template@3.3.3

@asyncapi/java-spring-cloud-stream-template@0.13.5

@asyncapi/java-spring-cloud-stream-template@0.13.6

@asyncapi/java-spring-template@1.6.1

@asyncapi/java-spring-template@1.6.2

@asyncapi/java-template@0.3.5

@asyncapi/java-template@0.3.6

@asyncapi/keeper@0.0.2

@asyncapi/keeper@0.0.3

@asyncapi/markdown-template@1.6.8

@asyncapi/markdown-template@1.6.9

@asyncapi/modelina-cli@5.10.2

@asyncapi/modelina-cli@5.10.3

@asyncapi/modelina@5.10.2

@asyncapi/modelina@5.10.3

@asyncapi/multi-parser@2.2.1

@asyncapi/multi-parser@2.2.2

@asyncapi/nodejs-template@3.0.5

@asyncapi/nodejs-template@3.0.6

@asyncapi/nodejs-ws-template@0.10.1

@asyncapi/nodejs-ws-template@0.10.2

@asyncapi/nunjucks-filters@2.1.1

@asyncapi/nunjucks-filters@2.1.2

@asyncapi/openapi-schema-parser@3.0.25

@asyncapi/optimizer@1.0.5

@asyncapi/optimizer@1.0.6

@asyncapi/parser@3.4.1

@asyncapi/parser@3.4.2

@asyncapi/php-template@0.1.1

@asyncapi/php-template@0.1.2

@asyncapi/problem@1.0.1

@asyncapi/problem@1.0.2

@asyncapi/protobuf-schema-parser@3.5.2

@asyncapi/protobuf-schema-parser@3.5.3

@asyncapi/protobuf-schema-parser@3.6.1

@asyncapi/python-paho-template@0.2.14

@asyncapi/python-paho-template@0.2.15

@asyncapi/react-component@2.6.6

@asyncapi/react-component@2.6.7

@asyncapi/server-api@0.16.24

@asyncapi/server-api@0.16.25

@asyncapi/specs@6.10.1

@asyncapi/specs@6.8.2

@asyncapi/specs@6.8.3

@asyncapi/specs@6.9.1

@asyncapi/studio@1.0.2

@asyncapi/studio@1.0.3

@asyncapi/web-component@2.6.6

@asyncapi/web-component@2.6.7

@bdkinc/knex-ibmi@0.5.7

@browserbasehq/bb9@1.2.21

@browserbasehq/director-ai@1.0.3

@browserbasehq/mcp-server-browserbase@2.4.2

@browserbasehq/mcp@2.1.1

@browserbasehq/sdk-functions@0.0.4

@browserbasehq/stagehand-docs@1.0.1

@browserbasehq/stagehand@3.0.4

@caretive/caret-cli@0.0.2

@chtijs/eslint-config@1.0.1

@clausehq/flows-step-httprequest@0.1.14

@clausehq/flows-step-jsontoxml@0.1.14

@clausehq/flows-step-mqtt@0.1.14

@clausehq/flows-step-sendgridemail@0.1.14

@clausehq/flows-step-taskscreateurl@0.1.14

@cllbk/ghl@1.3.1

@commute/bloom@1.0.3

@commute/market-data-chartjs@2.3.1

@commute/market-data@1.0.2

@dev-blinq/ai-qa-logic@1.0.19

@dev-blinq/blinqioclient@1.0.21

@dev-blinq/cucumber-js@1.0.131

@dev-blinq/cucumber_client@1.0.738

@dev-blinq/ui-systems@1.0.93

@ensdomains/address-encoder@1.1.5

@ensdomains/blacklist@1.0.1

@ensdomains/buffer@0.1.2

@ensdomains/ccip-read-cf-worker@0.0.4

@ensdomains/ccip-read-dns-gateway@0.1.1

@ensdomains/ccip-read-router@0.0.7

@ensdomains/ccip-read-worker-viem@0.0.4

@ensdomains/content-hash@3.0.1

@ensdomains/curvearithmetics@1.0.1

@ensdomains/cypress-metamask@1.2.1

@ensdomains/dnsprovejs@0.5.3

@ensdomains/dnssec-oracle-anchors@0.0.2

@ensdomains/dnssecoraclejs@0.2.9

@ensdomains/durin-middleware@0.0.2

@ensdomains/durin@0.1.2

@ensdomains/ens-archived-contracts@0.0.3

@ensdomains/ens-avatar@1.0.4

@ensdomains/ens-contracts@1.6.1

@ensdomains/ens-test-env@1.0.2

@ensdomains/ens-validation@0.1.1

@ensdomains/ensjs-react@0.0.5

@ensdomains/ensjs@4.0.3

@ensdomains/eth-ens-namehash@2.0.16

@ensdomains/hackathon-registrar@1.0.5

@ensdomains/hardhat-chai-matchers-viem@0.1.15

@ensdomains/hardhat-toolbox-viem-extended@0.0.6

@ensdomains/mock@2.1.52

@ensdomains/name-wrapper@1.0.1

@ensdomains/offchain-resolver-contracts@0.2.2

@ensdomains/op-resolver-contracts@0.0.2

@ensdomains/react-ens-address@0.0.32

@ensdomains/renewal-widget@0.1.10

@ensdomains/renewal@0.0.13

@ensdomains/reverse-records@1.0.1

@ensdomains/server-analytics@0.0.2

@ensdomains/solsha1@0.0.4

@ensdomains/subdomain-registrar@0.2.4

@ensdomains/test-utils@1.3.1

@ensdomains/thorin@0.6.51

@ensdomains/ui@3.4.6

@ensdomains/unicode-confusables@0.1.1

@ensdomains/unruggable-gateways@0.0.3

@ensdomains/vite-plugin-i18next-loader@4.0.4

@ensdomains/web3modal@1.10.2

@everreal/react-charts@2.0.1

@everreal/react-charts@2.0.2

@everreal/validate-esmoduleinterop-imports@1.4.4

@everreal/validate-esmoduleinterop-imports@1.4.5

@everreal/web-analytics@0.0.1

@everreal/web-analytics@0.0.2

@faq-component/core@0.0.4

@faq-component/react@1.0.1

@fishingbooker/browser-sync-plugin@1.0.5

@fishingbooker/react-loader@1.0.7

@fishingbooker/react-pagination@2.0.6

@fishingbooker/react-raty@2.0.1

@fishingbooker/react-swiper@0.1.5

@hapheus/n8n-nodes-pgp@1.5.1

@hover-design/core@0.0.1

@hover-design/react@0.2.1

@huntersofbook/auth-vue@0.4.2

@huntersofbook/core-nuxt@0.4.2

@huntersofbook/core@0.5.1

@huntersofbook/form-naiveui@0.5.1

@huntersofbook/i18n@0.8.2

@huntersofbook/ui@0.5.1

@hyperlook/telemetry-sdk@1.0.19

@ifelsedeveloper/protocol-contracts-svm-idl@0.1.2

@ifelsedeveloper/protocol-contracts-svm-idl@0.1.3

@ifings/design-system@4.9.2

@ifings/metatron3@0.1.5

@jayeshsadhwani/telemetry-sdk@1.0.14

@kvytech/cli@0.0.7

@kvytech/components@0.0.2

@kvytech/habbit-e2e-test@0.0.2

@kvytech/medusa-plugin-announcement@0.0.8

@kvytech/medusa-plugin-management@0.0.5

@kvytech/medusa-plugin-newsletter@0.0.5

@kvytech/medusa-plugin-product-reviews@0.0.9

@kvytech/medusa-plugin-promotion@0.0.2

@kvytech/web@0.0.2

@lessondesk/api-client@9.12.2

@lessondesk/api-client@9.12.3

@lessondesk/babel-preset@1.0.1

@lessondesk/electron-group-api-client@1.0.3

@lessondesk/eslint-config@1.4.2

@lessondesk/material-icons@1.0.3

@lessondesk/react-table-context@2.0.4

@lessondesk/schoolbus@5.2.2

@lessondesk/schoolbus@5.2.3

@livecms/live-edit@0.0.32

@livecms/nuxt-live-edit@1.9.2

@lokeswari-satyanarayanan/rn-zustand-expo-template@1.0.9

@louisle2/core@1.0.1

@louisle2/cortex-js@0.1.6

@lpdjs/firestore-repo-service@1.0.1

@lui-ui/lui-nuxt@0.1.1

@lui-ui/lui-tailwindcss@0.1.2

@lui-ui/lui-vue@1.0.13

@markvivanco/app-version-checker@1.0.1

@markvivanco/app-version-checker@1.0.2

@mcp-use/cli@2.2.6

@mcp-use/cli@2.2.7

@mcp-use/inspector@0.6.2

@mcp-use/inspector@0.6.3

@mcp-use/mcp-use@1.0.1

@mcp-use/mcp-use@1.0.2

@micado-digital/stadtmarketing-kufstein-external@1.9.1

@mizzle-dev/orm@0.0.2

@mparpaillon/connector-parse@1.0.1

@mparpaillon/imagesloaded@4.1.2

@mparpaillon/page@1.0.1

@oku-ui/accordion@0.6.2

@oku-ui/alert-dialog@0.6.2

@oku-ui/arrow@0.6.2

@oku-ui/aspect-ratio@0.6.2

@oku-ui/avatar@0.6.2

@oku-ui/checkbox@0.6.3

@oku-ui/collapsible@0.6.2

@oku-ui/collection@0.6.2

@oku-ui/dialog@0.6.2

@oku-ui/direction@0.6.2

@oku-ui/dismissable-layer@0.6.2

@oku-ui/focus-guards@0.6.2

@oku-ui/focus-scope@0.6.2

@oku-ui/hover-card@0.6.2

@oku-ui/label@0.6.2

@oku-ui/menu@0.6.2

@oku-ui/motion-nuxt@0.2.2

@oku-ui/motion@0.4.4

@oku-ui/popover@0.6.2

@oku-ui/popper@0.6.2

@oku-ui/portal@0.6.2

@oku-ui/presence@0.6.2

@oku-ui/primitive@0.6.2

@oku-ui/primitives-nuxt@0.3.1

@oku-ui/primitives@0.7.9

@oku-ui/progress@0.6.2

@oku-ui/provide@0.6.2

@oku-ui/radio-group@0.6.2

@oku-ui/roving-focus@0.6.2

@oku-ui/scroll-area@0.6.2

@oku-ui/separator@0.6.2

@oku-ui/slider@0.6.2

@oku-ui/slot@0.6.2

@oku-ui/switch@0.6.2

@oku-ui/tabs@0.6.2

@oku-ui/toast@0.6.2

@oku-ui/toggle-group@0.6.2

@oku-ui/toggle@0.6.2

@oku-ui/toolbar@0.6.2

@oku-ui/tooltip@0.6.2

@oku-ui/use-composable@0.6.2

@oku-ui/utils@0.6.2

@oku-ui/visually-hidden@0.6.2

@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode@2.0.5

@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode@1.1.1

@orbitgtbelgium/orbit-components@1.2.9

@orbitgtbelgium/time-slider@1.0.187

@osmanekrem/bmad@1.0.6

@osmanekrem/error-handler@1.2.2

@pergel/cli@0.11.1

@pergel/module-box@0.6.1

@pergel/module-graphql@0.6.1

@pergel/module-ui@0.0.9

@pergel/nuxt@0.25.5

@posthog/agent@1.24.1

@posthog/ai@7.1.2

@posthog/automatic-cohorts-plugin@0.0.8

@posthog/bitbucket-release-tracker@0.0.8

@posthog/cli@0.5.15

@posthog/clickhouse@1.7.1

@posthog/core@1.5.6

@posthog/currency-normalization-plugin@0.0.8

@posthog/customerio-plugin@0.0.8

@posthog/databricks-plugin@0.0.8

@posthog/drop-events-on-property-plugin@0.0.8

@posthog/event-sequence-timer-plugin@0.0.8

@posthog/filter-out-plugin@0.0.8

@posthog/first-time-event-tracker@0.0.8

@posthog/geoip-plugin@0.0.8

@posthog/github-release-tracking-plugin@0.0.8

@posthog/gitub-star-sync-plugin@0.0.8

@posthog/heartbeat-plugin@0.0.8

@posthog/hedgehog-mode@0.0.42

@posthog/icons@0.36.1

@posthog/ingestion-alert-plugin@0.0.8

@posthog/intercom-plugin@0.0.8

@posthog/kinesis-plugin@0.0.8

@posthog/laudspeaker-plugin@0.0.8

@posthog/lemon-ui@0.0.1

@posthog/maxmind-plugin@0.1.6

@posthog/migrator3000-plugin@0.0.8

@posthog/netdata-event-processing@0.0.8

@posthog/nextjs-config@1.5.1

@posthog/nextjs@0.0.3

@posthog/nuxt@1.2.9

@posthog/pagerduty-plugin@0.0.8

@posthog/piscina@3.2.1

@posthog/plugin-contrib@0.0.6

@posthog/plugin-server@1.10.8

@posthog/plugin-unduplicates@0.0.8

@posthog/postgres-plugin@0.0.8

@posthog/react-rrweb-player@1.1.4

@posthog/rrdom@0.0.31

@posthog/rrweb-player@0.0.31

@posthog/rrweb-record@0.0.31

@posthog/rrweb-replay@0.0.19

@posthog/rrweb-snapshot@0.0.31

@posthog/rrweb-utils@0.0.31

@posthog/rrweb@0.0.31

@posthog/sendgrid-plugin@0.0.8

@posthog/siphash@1.1.2

@posthog/snowflake-export-plugin@0.0.8

@posthog/taxonomy-plugin@0.0.8

@posthog/twilio-plugin@0.0.8

@posthog/twitter-followers-plugin@0.0.8

@posthog/url-normalizer-plugin@0.0.8

@posthog/variance-plugin@0.0.8

@posthog/web-dev-server@1.0.5

@posthog/wizard@1.18.1

@posthog/zendesk-plugin@0.0.8

@postman/aether-icons@2.23.2

@postman/aether-icons@2.23.3

@postman/aether-icons@2.23.4

@postman/csv-parse@4.0.3

@postman/csv-parse@4.0.4

@postman/csv-parse@4.0.5

@postman/final-node-keytar@7.9.1

@postman/final-node-keytar@7.9.2

@postman/final-node-keytar@7.9.3

@postman/mcp-ui-client@5.5.1

@postman/mcp-ui-client@5.5.2

@postman/mcp-ui-client@5.5.3

@postman/node-keytar@7.9.4

@postman/node-keytar@7.9.5

@postman/node-keytar@7.9.6

@postman/pm-bin-linux-x64@1.24.3

@postman/pm-bin-linux-x64@1.24.4

@postman/pm-bin-linux-x64@1.24.5

@postman/pm-bin-macos-arm64@1.24.3

@postman/pm-bin-macos-arm64@1.24.4

@postman/pm-bin-macos-arm64@1.24.5

@postman/pm-bin-macos-x64@1.24.3

@postman/pm-bin-macos-x64@1.24.4

@postman/pm-bin-macos-x64@1.24.5

@postman/pm-bin-windows-x64@1.24.3

@postman/pm-bin-windows-x64@1.24.4

@postman/pm-bin-windows-x64@1.24.5

@postman/postman-collection-fork@4.3.3

@postman/postman-collection-fork@4.3.4

@postman/postman-collection-fork@4.3.5

@postman/postman-mcp-cli@1.0.3

@postman/postman-mcp-cli@1.0.4

@postman/postman-mcp-cli@1.0.5

@postman/postman-mcp-server@2.4.10

@postman/postman-mcp-server@2.4.11

@postman/postman-mcp-server@2.4.12

@postman/pretty-ms@6.1.1

@postman/pretty-ms@6.1.2

@postman/pretty-ms@6.1.3

@postman/secret-scanner-wasm@2.1.2

@postman/secret-scanner-wasm@2.1.3

@postman/secret-scanner-wasm@2.1.4

@postman/tunnel-agent@0.6.5

@postman/tunnel-agent@0.6.6

@postman/tunnel-agent@0.6.7

@postman/wdio-allure-reporter@0.0.7

@postman/wdio-allure-reporter@0.0.8

@postman/wdio-allure-reporter@0.0.9

@postman/wdio-junit-reporter@0.0.4

@postman/wdio-junit-reporter@0.0.5

@postman/wdio-junit-reporter@0.0.6

@pradhumngautam/common-app@1.0.2

@productdevbook/animejs-vue@0.2.1

@productdevbook/auth@0.2.2

@productdevbook/chatwoot@2.0.1

@productdevbook/motion@1.0.4

@productdevbook/ts-i18n@1.4.2

@pruthvi21/use-debounce@1.0.3

@quick-start-soft/quick-document-translator@1.4.2511142126

@quick-start-soft/quick-git-clean-markdown@1.4.2511142126

@quick-start-soft/quick-markdown-compose@1.4.2506300029

@quick-start-soft/quick-markdown-image@1.4.2511142126

@quick-start-soft/quick-markdown-print@1.4.2511142126

@quick-start-soft/quick-markdown-translator@1.4.2509202331

@quick-start-soft/quick-markdown@1.4.2511142126

@quick-start-soft/quick-remove-image-background@1.4.2511142126

@quick-start-soft/quick-task-refine@1.4.2511142126

@relyt/claude-context-core@0.1.1

@relyt/claude-context-mcp@0.1.1

@relyt/mcp-server-relytone@0.0.3

@sameepsi/sor2@2.0.2

@sameepsi/sor@1.0.3

@seezo/sdr-mcp-server@0.0.5

@seung-ju/next@0.0.2

@seung-ju/openapi-generator@0.0.4

@seung-ju/react-hooks@0.0.2

@seung-ju/react-native-action-sheet@0.2.1

@silgi/better-auth@0.8.1

@silgi/drizzle@0.8.4

@silgi/ecosystem@0.7.6

@silgi/graphql@0.7.15

@silgi/module-builder@0.8.8

@silgi/openapi@0.7.4

@silgi/permission@0.6.8

@silgi/ratelimit@0.2.1

@silgi/scalar@0.6.2

@silgi/yoga@0.7.1

@sme-ui/aoma-vevasound-metadata-lib@0.1.3

@strapbuild/react-native-date-time-picker@2.0.4

@strapbuild/react-native-perspective-image-cropper-2@0.4.7

@strapbuild/react-native-perspective-image-cropper-poojan31@0.4.6

@strapbuild/react-native-perspective-image-cropper@0.4.15

@suraj_h/medium-common@1.0.5

@thedelta/eslint-config@1.0.2

@tiaanduplessis/json@2.0.2

@tiaanduplessis/json@2.0.3

@tiaanduplessis/react-progressbar@1.0.1

@tiaanduplessis/react-progressbar@1.0.2

@trackstar/angular-trackstar-link@1.0.2

@trackstar/react-trackstar-link-upgrade@1.1.10

@trackstar/react-trackstar-link@2.0.21

@trackstar/test-angular-package@0.0.9

@trackstar/test-package@1.1.5

@trefox/sleekshop-js@0.1.6

@trigo/atrix-acl@4.0.2

@trigo/atrix-elasticsearch@2.0.1

@trigo/atrix-mongoose@1.0.2

@trigo/atrix-orientdb@1.0.2

@trigo/atrix-postgres@1.0.3

@trigo/atrix-pubsub@4.0.3

@trigo/atrix-redis@1.0.2

@trigo/atrix-soap@1.0.2

@trigo/atrix-swagger@3.0.1

@trigo/atrix@7.0.1

@trigo/bool-expressions@4.1.3

@trigo/eslint-config-trigo@3.3.1

@trigo/fsm@3.4.2

@trigo/hapi-auth-signedlink@1.3.1

@trigo/jsdt@0.2.1

@trigo/keycloak-api@1.3.1

@trigo/node-soap@0.5.4

@trigo/pathfinder-ui-css@0.1.1

@trigo/trigo-hapijs@5.0.1

@trpc-rate-limiter/cloudflare@0.1.4

@trpc-rate-limiter/hono@0.1.4

@varsityvibe/api-client@1.3.36

@varsityvibe/api-client@1.3.37

@varsityvibe/utils@5.0.6

@varsityvibe/validation-schemas@0.6.7

@varsityvibe/validation-schemas@0.6.8

@viapip/eslint-config@0.2.4

@vishadtyagi/full-year-calendar@0.1.11

@voiceflow/alexa-types@2.15.60

@voiceflow/alexa-types@2.15.61

@voiceflow/anthropic@0.4.4

@voiceflow/anthropic@0.4.5

@voiceflow/api-sdk@3.28.58

@voiceflow/api-sdk@3.28.59

@voiceflow/backend-utils@5.0.1

@voiceflow/backend-utils@5.0.2

@voiceflow/base-types@2.136.2

@voiceflow/base-types@2.136.3

@voiceflow/body-parser@1.21.2

@voiceflow/body-parser@1.21.3

@voiceflow/chat-types@2.14.58

@voiceflow/chat-types@2.14.59

@voiceflow/circleci-config-sdk-orb-import@0.2.1

@voiceflow/circleci-config-sdk-orb-import@0.2.2

@voiceflow/commitlint-config@2.6.1

@voiceflow/commitlint-config@2.6.2

@voiceflow/common@8.9.1

@voiceflow/common@8.9.2

@voiceflow/default-prompt-wrappers@1.7.3

@voiceflow/default-prompt-wrappers@1.7.4

@voiceflow/dependency-cruiser-config@1.8.11

@voiceflow/dependency-cruiser-config@1.8.12

@voiceflow/dtos-interact@1.40.1

@voiceflow/dtos-interact@1.40.2

@voiceflow/encryption@0.3.2

@voiceflow/encryption@0.3.3

@voiceflow/eslint-config@7.16.4

@voiceflow/eslint-config@7.16.5

@voiceflow/eslint-plugin@1.6.1

@voiceflow/eslint-plugin@1.6.2

@voiceflow/exception@1.10.1

@voiceflow/exception@1.10.2

@voiceflow/fetch@1.11.1

@voiceflow/fetch@1.11.2

@voiceflow/general-types@3.2.22

@voiceflow/general-types@3.2.23

@voiceflow/git-branch-check@1.4.3

@voiceflow/git-branch-check@1.4.4

@voiceflow/google-dfes-types@2.17.12

@voiceflow/google-dfes-types@2.17.13

@voiceflow/google-types@2.21.12

@voiceflow/google-types@2.21.13

@voiceflow/husky-config@1.3.1

@voiceflow/husky-config@1.3.2

@voiceflow/logger@2.4.2

@voiceflow/logger@2.4.3

@voiceflow/metrics@1.5.1

@voiceflow/metrics@1.5.2

@voiceflow/natural-language-commander@0.5.2

@voiceflow/natural-language-commander@0.5.3

@voiceflow/nestjs-common@2.75.2

@voiceflow/nestjs-common@2.75.3

@voiceflow/nestjs-mongodb@1.3.1

@voiceflow/nestjs-mongodb@1.3.2

@voiceflow/nestjs-rate-limit@1.3.2

@voiceflow/nestjs-rate-limit@1.3.3

@voiceflow/nestjs-redis@1.3.1

@voiceflow/nestjs-redis@1.3.2

@voiceflow/nestjs-timeout@1.3.1

@voiceflow/nestjs-timeout@1.3.2

@voiceflow/npm-package-json-lint-config@1.1.1

@voiceflow/npm-package-json-lint-config@1.1.2

@voiceflow/openai@3.2.2

@voiceflow/openai@3.2.3

@voiceflow/pino-pretty@4.4.1

@voiceflow/pino-pretty@4.4.2

@voiceflow/pino@6.11.3

@voiceflow/pino@6.11.4

@voiceflow/prettier-config@1.10.1

@voiceflow/prettier-config@1.10.2

@voiceflow/react-chat@1.65.3

@voiceflow/react-chat@1.65.4

@voiceflow/runtime-client-js@1.17.2

@voiceflow/runtime-client-js@1.17.3

@voiceflow/runtime@1.29.1

@voiceflow/runtime@1.29.2

@voiceflow/sdk-runtime@1.43.1

@voiceflow/sdk-runtime@1.43.2

@voiceflow/secrets-provider@1.9.2

@voiceflow/secrets-provider@1.9.3

@voiceflow/semantic-release-config@1.4.1

@voiceflow/semantic-release-config@1.4.2

@voiceflow/serverless-plugin-typescript@2.1.7

@voiceflow/serverless-plugin-typescript@2.1.8

@voiceflow/slate-serializer@1.7.3

@voiceflow/slate-serializer@1.7.4

@voiceflow/stitches-react@2.3.2

@voiceflow/stitches-react@2.3.3

@voiceflow/storybook-config@1.2.2

@voiceflow/storybook-config@1.2.3

@voiceflow/stylelint-config@1.1.1

@voiceflow/stylelint-config@1.1.2

@voiceflow/test-common@2.1.1

@voiceflow/test-common@2.1.2

@voiceflow/tsconfig-paths@1.1.4

@voiceflow/tsconfig-paths@1.1.5

@voiceflow/tsconfig@1.12.1

@voiceflow/tsconfig@1.12.2

@voiceflow/utils-designer@1.74.19

@voiceflow/utils-designer@1.74.20

@voiceflow/verror@1.1.4

@voiceflow/verror@1.1.5

@voiceflow/vite-config@2.6.2

@voiceflow/vite-config@2.6.3

@voiceflow/vitest-config@1.10.2

@voiceflow/vitest-config@1.10.3

@voiceflow/voice-types@2.10.58

@voiceflow/voice-types@2.10.59

@voiceflow/voiceflow-types@3.32.45

@voiceflow/voiceflow-types@3.32.46

@voiceflow/widget@1.7.18

@voiceflow/widget@1.7.19

@vucod/email@0.0.3

@zapier/ai-actions-react@0.1.12

@zapier/ai-actions-react@0.1.13

@zapier/ai-actions-react@0.1.14

@zapier/ai-actions@0.1.18

@zapier/ai-actions@0.1.19

@zapier/ai-actions@0.1.20

@zapier/babel-preset-zapier@6.4.1

@zapier/babel-preset-zapier@6.4.2

@zapier/babel-preset-zapier@6.4.3

@zapier/browserslist-config-zapier@1.0.3

@zapier/browserslist-config-zapier@1.0.4

@zapier/browserslist-config-zapier@1.0.5

@zapier/eslint-plugin-zapier@11.0.3

@zapier/eslint-plugin-zapier@11.0.4

@zapier/mcp-integration@3.0.1

@zapier/mcp-integration@3.0.2

@zapier/mcp-integration@3.0.3

@zapier/secret-scrubber@1.1.3

@zapier/secret-scrubber@1.1.4

@zapier/spectral-api-ruleset@1.9.1

@zapier/spectral-api-ruleset@1.9.2

@zapier/stubtree@0.1.2

@zapier/stubtree@0.1.3

@zapier/zapier-sdk@0.15.5

@zapier/zapier-sdk@0.15.6

@zapier/zapier-sdk@0.15.7

ai-crowl-shield@1.0.7

arc-cli-fc@1.0.1

asciitranslator@1.0.3

asyncapi-preview@1.0.1

asyncapi-preview@1.0.2

atrix-mongoose@1.0.1

atrix@1.0.1

automation_model@1.0.491

avvvatars-vue@1.1.2

axios-builder@1.2.1

axios-cancelable@1.0.1

axios-cancelable@1.0.2

axios-timed@1.0.1

axios-timed@1.0.2

babel-preset-kinvey-flex-service@0.1.1

barebones-css@1.1.3

barebones-css@1.1.4

benmostyn-frame-print@1.0.1

best_gpio_controller@1.0.10

better-auth-nuxt@0.0.10

better-queue-nedb@0.1.5

bidirectional-adapter@1.2.2

bidirectional-adapter@1.2.3

bidirectional-adapter@1.2.4

bidirectional-adapter@1.2.5

blinqio-executions-cli@1.0.41

blob-to-base64@1.0.3

bool-expressions@0.1.2

buffered-interpolation-babylon6@0.2.8

bun-plugin-httpfile@0.1.1

bytecode-checker-cli@1.0.10

bytecode-checker-cli@1.0.11

bytecode-checker-cli@1.0.8

bytecode-checker-cli@1.0.9

bytes-to-x@1.0.1

calc-loan-interest@1.0.4

capacitor-plugin-apptrackingios@0.0.21

capacitor-plugin-purchase@0.1.1

capacitor-plugin-scgssigninwithgoogle@0.0.5

capacitor-purchase-history@0.0.10

capacitor-voice-recorder-wav@6.0.3

ceviz@0.0.5

chrome-extension-downloads@0.0.3

chrome-extension-downloads@0.0.4

claude-token-updater@1.0.3

coinmarketcap-api@3.1.2

coinmarketcap-api@3.1.3

colors-regex@2.0.1

command-irail@0.5.4

compare-obj@1.1.1

compare-obj@1.1.2

composite-reducer@1.0.2

composite-reducer@1.0.3

composite-reducer@1.0.4

composite-reducer@1.0.5

count-it-down@1.0.1

count-it-down@1.0.2

cpu-instructions@0.0.14

create-director-app@0.1.1

create-glee-app@0.2.2

create-glee-app@0.2.3

create-hardhat3-app@1.1.1

create-hardhat3-app@1.1.2

create-hardhat3-app@1.1.3

create-hardhat3-app@1.1.4

create-kinvey-flex-service@0.2.1

create-mcp-use-app@0.5.3

create-mcp-use-app@0.5.4

create-silgi@0.3.1

crypto-addr-codec@0.1.9

css-dedoupe@0.1.2

csv-tool-cli@1.2.1

dashboard-empty-state@1.0.3

designstudiouiux@1.0.1

devstart-cli@1.0.6

dialogflow-es@1.1.1

dialogflow-es@1.1.2

dialogflow-es@1.1.3

dialogflow-es@1.1.4

discord-bot-server@0.1.2

docusaurus-plugin-vanilla-extract@1.0.3

dont-go@1.1.2

dotnet-template@0.0.3

dotnet-template@0.0.4

drop-events-on-property-plugin@0.0.2

easypanel-sdk@0.3.2

electron-volt@0.0.2

email-deliverability-tester@1.1.1

enforce-branch-name@1.1.3

esbuild-plugin-brotli@0.2.1

esbuild-plugin-eta@0.1.1

esbuild-plugin-httpfile@0.4.1

eslint-config-kinvey-flex-service@0.1.1

eslint-config-nitpicky@4.0.1

eslint-config-trigo@22.0.2

eslint-config-zeallat-base@1.0.4

ethereum-ens@0.8.1

evm-checkcode-cli@1.0.12

evm-checkcode-cli@1.0.13

evm-checkcode-cli@1.0.14

evm-checkcode-cli@1.0.15

exact-ticker@0.3.5

expo-audio-session@0.2.1

expo-router-on-rails@0.0.4

express-starter-template@1.0.10

expressos@1.1.3

fat-fingered@1.0.1

fat-fingered@1.0.2

feature-flip@1.0.1

feature-flip@1.0.2

firestore-search-engine@1.2.3

fittxt@1.0.2

fittxt@1.0.3

flapstacks@1.0.1

flapstacks@1.0.2

flatten-unflatten@1.0.1

flatten-unflatten@1.0.2

formik-error-focus@2.0.1

formik-store@1.0.1

frontity-starter-theme@1.0.1

fuzzy-finder@1.0.5

fuzzy-finder@1.0.6

gate-evm-check-code2@2.0.3

gate-evm-check-code2@2.0.4

gate-evm-check-code2@2.0.5

gate-evm-check-code2@2.0.6

gate-evm-tools-test@1.0.5

gate-evm-tools-test@1.0.6

gate-evm-tools-test@1.0.7

gate-evm-tools-test@1.0.8

gatsby-plugin-antd@2.2.1

gatsby-plugin-cname@1.0.1

gatsby-plugin-cname@1.0.2

generator-meteor-stock@0.1.6

generator-ng-itobuz@0.0.15

get-them-args@1.3.3

github-action-for-generator@2.1.27

github-action-for-generator@2.1.28

gitsafe@1.0.5

go-template@0.1.8

go-template@0.1.9

gulp-inject-envs@1.2.1

gulp-inject-envs@1.2.2

haufe-axera-api-client@0.0.1

haufe-axera-api-client@0.0.2

hope-mapboxdraw@0.1.1

hopedraw@1.0.3

hover-design-prototype@0.0.5

httpness@1.0.2

httpness@1.0.3

hyper-fullfacing@1.0.3

hyperterm-hipster@1.0.7

ids-css@1.5.1

ids-enterprise-mcp-server@0.0.2

ids-enterprise-ng@20.1.6

ids-enterprise-typings@20.1.6

image-to-uri@1.0.1

image-to-uri@1.0.2

insomnia-plugin-random-pick@1.0.4

invo@0.2.2

iron-shield-miniapp@0.0.2

ito-button@8.0.3

itobuz-angular-auth@8.0.11

itobuz-angular-button@8.0.11

itobuz-angular@0.0.1

jacob-zuma@1.0.1

jacob-zuma@1.0.2

jaetut-varit-test@1.0.2

jan-browser@0.13.1

jquery-bindings@1.1.2

jquery-bindings@1.1.3

jsonsurge@1.0.7

just-toasty@1.7.1

kill-port@2.0.2

kill-port@2.0.3

kinetix-default-token-list@1.0.5

kinvey-cli-wrapper@0.3.1

kinvey-flex-scripts@0.5.1

kns-error-code@1.0.8

korea-administrative-area-geo-json-util@1.0.7

kwami@1.5.10

kwami@1.5.9

lang-codes@1.0.1

lang-codes@1.0.2

license-o-matic@1.2.1

license-o-matic@1.2.2

lint-staged-imagemin@1.3.1

lint-staged-imagemin@1.3.2

lite-serper-mcp-server@0.2.2

lui-vue-test@0.70.9

luno-api@1.2.3

m25-transaction-utils@1.1.16

manual-billing-system-miniapp-api@1.3.1

mcp-use@1.4.2

mcp-use@1.4.3

medusa-plugin-announcement@0.0.3

medusa-plugin-logs@0.0.17

medusa-plugin-momo@0.0.68

medusa-plugin-product-reviews-kvy@0.0.4

medusa-plugin-zalopay@0.0.40

mod10-check-digit@1.0.1

mon-package-react-typescript@1.0.1

my-saeed-lib@0.1.1

n8n-nodes-tmdb@0.5.1

n8n-nodes-vercel-ai-sdk@0.1.7

n8n-nodes-viral-app@0.2.5

nanoreset@7.0.1

nanoreset@7.0.2

next-circular-dependency@1.0.2

next-circular-dependency@1.0.3

next-simple-google-analytics@1.1.1

next-simple-google-analytics@1.1.2

next-styled-nprogress@1.0.4

next-styled-nprogress@1.0.5

ngx-useful-swiper-prosenjit@9.0.2

ngx-wooapi@12.0.1

nitro-graphql@1.5.12

nitro-kutu@0.1.1

nitrodeploy@1.0.8

nitroping@0.1.1

normal-store@1.3.1

normal-store@1.3.2

normal-store@1.3.3

normal-store@1.3.4

nuxt-keycloak@0.2.2

obj-to-css@1.0.2

obj-to-css@1.0.3

okta-react-router-6@5.0.1

open2internet@0.1.1

orbit-boxicons@2.1.3

orbit-nebula-draw-tools@1.0.10

orbit-nebula-editor@1.0.2

orbit-soap@0.43.13

orchestrix@12.1.2

package-tester@1.0.1

parcel-plugin-asset-copier@1.1.2

parcel-plugin-asset-copier@1.1.3

pdf-annotation@0.0.2

pergeltest@0.0.25

piclite@1.0.1

pico-uid@1.0.3

pico-uid@1.0.4

pkg-readme@1.1.1

poper-react-sdk@0.1.2

posthog-docusaurus@2.0.6

posthog-js@1.297.3

posthog-node@4.18.1

posthog-node@5.11.3

posthog-node@5.13.3

posthog-plugin-hello-world@1.0.1

posthog-react-native-session-replay@1.2.2

posthog-react-native@4.11.1

posthog-react-native@4.12.5

prime-one-table@0.0.19

prompt-eng-server@1.0.18

prompt-eng@1.0.50

puny-req@1.0.3

quickswap-ads-list@1.0.33

quickswap-default-staking-list-address@1.0.55

quickswap-default-staking-list@1.0.11

quickswap-default-token-list@1.5.16

quickswap-router-sdk@1.0.1

quickswap-sdk@3.0.44

quickswap-smart-order-router@1.0.1

quickswap-token-lists@1.0.3

quickswap-v2-sdk@2.0.1

ra-auth-firebase@1.0.3

ra-data-firebase@1.0.7

ra-data-firebase@1.0.8

react-component-taggers@0.1.9

react-data-to-export@1.0.1

react-element-prompt-inspector@0.1.18

react-favic@1.0.2

react-hook-form-persist@3.0.1

react-hook-form-persist@3.0.2

react-jam-icons@1.0.1

react-jam-icons@1.0.2

react-keycloak-context@1.0.8

react-keycloak-context@1.0.9

react-library-setup@0.0.6

react-linear-loader@1.0.2

react-micromodal.js@1.0.1

react-micromodal.js@1.0.2

react-native-datepicker-modal@1.3.1

react-native-datepicker-modal@1.3.2

react-native-email@2.1.1

react-native-email@2.1.2

react-native-fetch@2.0.1

react-native-fetch@2.0.2

react-native-get-pixel-dimensions@1.0.1

react-native-get-pixel-dimensions@1.0.2

react-native-google-maps-directions@2.1.2

react-native-jam-icons@1.0.1

react-native-jam-icons@1.0.2

react-native-log-level@1.2.1

react-native-log-level@1.2.2

react-native-modest-checkbox@3.3.1

react-native-modest-storage@2.1.1

react-native-phone-call@1.2.1

react-native-phone-call@1.2.2

react-native-retriable-fetch@2.0.1

react-native-retriable-fetch@2.0.2

react-native-use-modal@1.0.3

react-native-view-finder@1.2.1

react-native-view-finder@1.2.2

react-native-websocket@1.0.3

react-native-websocket@1.0.4

react-native-worklet-functions@3.3.3

react-packery-component@1.0.3

react-qr-image@1.1.1

react-scrambled-text@1.0.4

rediff-viewer@0.0.7

rediff@1.0.5

redux-forge@2.5.3

redux-router-kit@1.2.2

redux-router-kit@1.2.3

redux-router-kit@1.2.4

revenuecat@1.0.1

rollup-plugin-httpfile@0.2.1

sa-company-registration-number-regex@1.0.1

sa-company-registration-number-regex@1.0.2

sa-id-gen@1.0.4

sa-id-gen@1.0.5

samesame@1.0.3

scgs-capacitor-subscribe@1.0.11

scgsffcreator@1.0.5

schob@1.0.3

selenium-session-client@1.0.4

selenium-session@1.0.5

set-nested-prop@2.0.1

set-nested-prop@2.0.2

shelf-jwt-sessions@0.1.2

shell-exec@1.1.3

shell-exec@1.1.4

shinhan-limit-scrap@1.0.3

silgi@0.43.30

simplejsonform@1.0.1

skills-use@0.1.1

skills-use@0.1.2

solomon-api-stories@1.0.2

solomon-v3-stories@1.15.6

solomon-v3-ui-wrapper@1.6.1

soneium-acs@1.0.1

sort-by-distance@2.0.1

south-african-id-info@1.0.2

stat-fns@1.0.1

stoor@2.3.2

sufetch@0.4.1

super-commit@1.0.1

svelte-autocomplete-select@1.1.1

svelte-toasty@1.1.2

svelte-toasty@1.1.3

tanstack-shadcn-table@1.1.5

tavily-module@1.0.1

tcsp-draw-test@1.0.5

tcsp-test-vd@2.4.4

tcsp@2.0.2

template-lib@1.1.3

template-lib@1.1.4

template-micro-service@1.0.2

template-micro-service@1.0.3

tenacious-fetch@2.3.2

tenacious-fetch@2.3.3

test-foundry-app@1.0.1

test-foundry-app@1.0.2

test-foundry-app@1.0.3

test-foundry-app@1.0.4

test-hardhat-app@1.0.1

test-hardhat-app@1.0.2

test-hardhat-app@1.0.3

test-hardhat-app@1.0.4

test23112222-api@1.0.1

tiaan@1.0.2

tiptap-shadcn-vue@0.2.1

token.js-fork@0.7.32

toonfetch@0.3.2

trigo-react-app@4.1.2

ts-relay-cursor-paging@2.1.1

typeface-antonio-complete@1.0.5

typefence@1.2.2

typefence@1.2.3

typeorm-orbit@0.2.27

unadapter@0.1.3

undefsafe-typed@1.0.3

undefsafe-typed@1.0.4

unemail@0.3.1

uniswap-router-sdk@1.6.2

uniswap-smart-order-router@3.16.26

uniswap-test-sdk-core@4.0.8

unsearch@0.0.3

uplandui@0.5.4

upload-to-play-store@1.0.1

upload-to-play-store@1.0.2

url-encode-decode@1.0.1

url-encode-decode@1.0.2

use-unsaved-changes@1.0.9

v-plausible@1.2.1

valid-south-african-id@1.0.3

valuedex-sdk@3.0.5

vf-oss-template@1.0.1

vf-oss-template@1.0.2

vf-oss-template@1.0.3

vf-oss-template@1.0.4

victoria-wallet-constants@0.1.1

victoria-wallet-constants@0.1.2

victoria-wallet-core@0.1.1

victoria-wallet-core@0.1.2

victoria-wallet-type@0.1.1

victoria-wallet-type@0.1.2

victoria-wallet-utils@0.1.1

victoria-wallet-utils@0.1.2

victoria-wallet-validator@0.1.1

victoria-wallet-validator@0.1.2

victoriaxoaquyet-wallet-core@0.2.1

victoriaxoaquyet-wallet-core@0.2.2

vite-plugin-httpfile@0.2.1

vue-browserupdate-nuxt@1.0.5

wallet-evm@0.3.1

wallet-evm@0.3.2

wallet-type@0.1.1

wallet-type@0.1.2

web-scraper-mcp@1.1.4

web-types-htmx@0.1.1

web-types-lit@0.1.1

webpack-loader-httpfile@0.2.1

wellness-expert-ng-gallery@5.1.1

wenk@1.0.10

wenk@1.0.9

zapier-async-storage@1.0.1

zapier-async-storage@1.0.2

zapier-async-storage@1.0.3

zapier-platform-cli@18.0.2

zapier-platform-cli@18.0.3

zapier-platform-cli@18.0.4

zapier-platform-core@18.0.2

zapier-platform-core@18.0.3

zapier-platform-core@18.0.4

zapier-platform-legacy-scripting-runner@4.0.2

zapier-platform-legacy-scripting-runner@4.0.3

zapier-platform-legacy-scripting-runner@4.0.4

zapier-platform-schema@18.0.2

zapier-platform-schema@18.0.3

zapier-platform-schema@18.0.4

zapier-scripts@7.8.3

zapier-scripts@7.8.4

zuper-cli@1.0.1

zuper-sdk@1.0.57

zuper-stream@2.0.9

By Veracode Threat Research

Return of the “Shai-Hulud” Worm

Veracode Customers Remain Protected

NPM Attacks Conclusion: Stay Ahead of Advanced Threats

All Known Affected Packages

Related Posts