npm: 11 Malicious Packages Targeting '@demica' Scope and DeFi Developers Disclosed in 5-Minute Window
A coordinated campaign on npm has been uncovered after 11 malicious packages, targeting the '@demica' scope and various DeFi utilities, were disclosed and removed within a tight five-minute window.
Key findings
- 11 malicious npm packages were disclosed and removed within a tight five-minute window on June 9, 2026
- The campaign targeted the '@demica' scope with three packages registered less than 24 hours before disclosure
- Eight DeFi-themed packages with trailing numbers, such as 'ethereum-kit-9', targeted web3 developers
- Malicious execution is triggered automatically during installation via postinstall scripts
- Developers who installed these packages must rotate all secrets and audit their environments for compromise
Coordinated Takedown on npm
On June 9, 2026, security teams coordinated the disclosure and removal of 11 malicious packages on the npm registry within a rapid five-minute window between 07:50 and 07:55 UTC. The campaign represents a highly targeted effort, split between impersonating a specific corporate scope—@demica—and deploying a series of generic, numbered decentralized finance (DeFi) and cryptocurrency utility packages. All 11 packages were flagged and pulled from the registry almost simultaneously, indicating a swift, automated takedown response once the campaign was identified.
The '@demica' Scope Impersonation
A key component of this campaign is the targeting of the @demica scope. Three packages—@demica/core, @demica/resources, and @demica/shared—were registered just 22 to 23 hours prior to their disclosure. This tight timeline suggests a highly focused attack, potentially aiming to exploit internal dependency confusion or typosquatting vulnerabilities within organizations relying on Demica's legitimate software supply chain. By publishing malicious versions under a matching scope, the threat actors likely hoped to trick automated build pipelines or developers into pulling down the compromised packages.
DeFi and Crypto-Themed Packages
In tandem with the scoped packages, the threat actors released eight ad-hoc utility packages carrying cryptocurrency and DeFi-themed names appended with arbitrary numbers. These include:
farming-tools-12defi-tools-39swap-sdk-87wallet-sdk-9ethereum-kit-9crypto-utils-7ethereum-kit-1blockchain-helper-0
Unlike the scoped packages, these names point toward a broader dragnet targeting decentralized finance developers, web3 engineers, and users looking for quick integration tools. The addition of trailing numbers suggests automated generation, a common tactic used by malicious actors to bypass basic name-similarity filters or to spin up multiple variations of an attack vector quickly.
Behavioral Analysis and Execution
While specific behavioral details are sparse, analysis of the packages indicates they were designed to execute immediately upon installation. The presence of files such as postinstall.js, index.js, and canary.js suggests a multi-stage execution flow. In typical campaigns of this nature, a postinstall script is leveraged to trigger immediate code execution as soon as the package is pulled into a developer's environment, bypassing the need for the package to be explicitly imported or called within the application code. This allows the malware to run reconnaissance, check environment variables, or establish initial contact with external infrastructure before the developer even begins writing code.
Severity and Impact
The severity of these disclosures is critical. Any development environment or server that installed these packages during their brief window of availability must be treated as fully compromised. Because these packages execute arbitrary code during the installation phase, they have the potential to exfiltrate sensitive environment variables, including API keys, npm publishing tokens, and cloud provider credentials. Security advisories for these packages emphasize that developers who interacted with any of these versions should immediately rotate all secrets from a clean, uncompromised machine and audit their local environments for unauthorized persistence mechanisms.
Mitigation and Response
To mitigate the risk of this campaign, developers and security teams should immediately audit their dependency trees and package-lock.json files for any references to the affected packages, such as @demica/core, @demica/resources, @demica/shared, or any of the numbered crypto utilities like ethereum-kit-9 and wallet-sdk-9. Organizations utilizing scoped packages should implement strict scope-mapping configurations in their package managers to ensure internal scopes are never resolved to the public npm registry, effectively neutralizing dependency confusion vectors. Additionally, reviewing registry access logs for any unauthorized publishing activity is highly recommended.