VYPR
Vypr IntelligenceAI-generatedJun 13, 2026

npm: 10 Malicious Packages Disclosed in 28-Minute Coordinated Takedown, Including PostCSS Impersonator

Ten malicious npm packages were disclosed in a 28-minute coordinated takedown on 2026-06-13, including a pair of `houzidawang` siblings registered just 20 hours earlier and a PostCSS-impersonating package drawing 1.5k weekly downloads.

Key findings

  • Ten malicious npm packages disclosed within a 28-minute window on 2026-06-13
  • The houzidawang807 and houzidawang808 pair were registered just 20 hours before disclosure
  • postcss-minify-selector-parser impersonates a PostCSS plugin, drawing ~1.5k weekly downloads
  • Shared C2 domain d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live appears across the burst
  • Modular malware components include beacon15.js, caller.js, and collect.js for C2 communication and data exfiltration
  • All ten advisories published by the same source (MAL-2026-5730 through 5739) confirming a coordinated takedown

On 2026-06-13, ten malicious npm packages were disclosed within a 28-minute window, all flagged by the same advisory source (MAL-2026-5730 through 5739). The packages share no obvious naming pattern — no common scope, prefix, or suffix — but the tight disclosure window and unified advisory source confirm a coordinated takedown. Among the ten, two packages stand out as a clear pair: houzidawang807 and houzidawang808, both published on 2026-06-13, just 20 hours before disclosure, and disclosed at the exact same minute (06:51 UTC). The remaining eight packages span a variety of names — from postcss-minify-selector-parser to node-multi-downloader — and were disclosed in rapid succession between 06:51 and 07:19 UTC.

Campaign Pattern

The ten packages lack a shared naming convention, but the disclosure pattern reveals structure. The houzidawang807 and houzidawang808 pair is a clear sibling set — sequential numeric suffixes suggest automated registration. The other eight packages use names that mimic legitimate npm packages or generic utility names: postcss-minify-selector-parser impersonates the PostCSS ecosystem, node-denv suggests a Node.js environment utility, node-stack-frames mimics a debugging tool, and node-app-doctor poses as a diagnostic package. class-synth, node-multi-downloader, sheratan_haha, and postinstall-logger-7x9z round out the set with names that could plausibly be mistaken for real tools.

Malicious Behavior

OSSF Package Analysis flagged consistent malicious behavior across the burst. The packages communicate with external command-and-control infrastructure — the domain d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live appears in behavioral findings, indicating out-of-band exfiltration via DNS or HTTP callbacks. The presence of beacon15.js, caller.js, cjs-runner.js, and collect.js in the extracted IOCs suggests a modular malware architecture with dedicated components for beaconing, command execution, and data collection. The custom-codec-pipeline.js and formatters.bindings references point to obfuscation and data-formatting routines. The dns.resolve and fs.existssync references indicate the malware probes the filesystem and performs DNS lookups — classic reconnaissance behavior.

Severity

Any developer or CI/CD pipeline that installed any of these packages should treat the affected machine as fully compromised. The malware's ability to communicate with external servers and execute commands means environment variables, including NPM_TOKEN, AWS_SECRET_ACCESS_KEY, and other secrets, may have been exfiltrated. The GHSA severity assessment for these advisories is consistent: rotate all credentials from a clean machine, audit npm token logs for unauthorized publishes, and review any infrastructure that the compromised environment had access to.

Detection and Response

Audit your package-lock.json or yarn.lock for any of these package names:

  • houzidawang807 (v1.1.6)
  • houzidawang808 (v1.0.0)
  • postcss-minify-selector-parser (v1.0.11 through 2.0.1)
  • postinstall-logger-7x9z (v1.0.0)
  • class-synth (v1.0.2 through 1.0.9)
  • node-multi-downloader (v5.0.14-rc.3)
  • node-denv (v1.3.5)
  • node-stack-frames (v4.0.0)
  • node-app-doctor (v1.0.1 through 1.0.9)
  • sheratan_haha (v1.0.0, v1.0.1)

If any match, rotate all secrets and tokens from a separate, clean machine. Check your npm account's token list for unauthorized additions and review recent publish activity.

Context

This burst exemplifies the ongoing trend of rapid, coordinated malicious package drops on npm. The houzidawang pair, registered just 20 hours before disclosure, shows how quickly attackers can deploy and the registry can respond. The inclusion of names like postcss-minify-selector-parser — mimicking a legitimate PostCSS plugin — highlights the continued effectiveness of dependency confusion and typosquatting as initial access vectors. The shared C2 infrastructure across packages with no naming pattern suggests a single actor using a common malware kit, deployed across multiple package identities to maximize reach before takedown.

AI-written article. Grounded in 0 CVE records listed below.