npm: 30 Malicious Typosquat Packages Disclosed in 26-Minute Coordinated Takedown
30 malicious npm packages, all registered 17 hours earlier, were disclosed in a coordinated 26-minute takedown on June 11, 2026 — a typosquatting campaign targeting developers with names like tailwindcss-merge, typeorm-encrypt, and sass-format.
Key findings
- 30 malicious npm packages disclosed in a 26-minute window on June 11, 2026
- All packages were registered just 17 hours before disclosure — a fresh, automated typosquatting campaign
- Package names typosquat legitimate libraries: tailwindcss-merge, typeorm-encrypt, sass-format, and others
- Behavioral analysis flagged environment reconnaissance via os.hostname, os.userinfo, and process.cwd
- C2 domain wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun extracted from postinstall scripts
- All advisories rated Critical — affected machines should be considered fully compromised
On June 11, 2026, 30 malicious npm packages were disclosed within a 26-minute window — all registered just 17 hours earlier on the same day. The packages, a mix of typosquats and brand-new names, were published in a coordinated drop and flagged between 09:26 and 09:52 UTC. None of the packages had accumulated significant downloads, but their rapid appearance and shared behavioral signature point to a single automated campaign.
The naming pattern is eclectic but reveals a clear strategy: typosquatting popular npm packages by mimicking their names. The list includes tailwindcss-merge (impersonating tailwind-merge), tailwindcss-animates-kit (likely targeting tailwindcss-animate), tailwindcss-animatics, tailwindcss-animotion, typeorm-encrypt, rate-limit-flexible and rate-limits-flexible, sass-format and sass-formats, swagger-express-routes, react-photo-views, routing-controls, clsx-tailwind, tw-fluid-type, and sensivity. Several names — like tailwindcss-animotion and tailwindcss-animatics — appear to be slight variations of legitimate packages, a classic typosquatting technique designed to catch developers who mistype a package name during installation. The package @whatnot-web/www-legacy stands apart as the only scoped package in the set, affecting versions 99.1.1 and 99.1.2.
OpenSSF Package Analysis flagged malicious behavior across the burst. The package @whatnot-web/www-legacy was observed communicating with a domain associated with malicious activity. Behavioral findings extracted from the broader set reference postinstall.js scripts, os.hostname, os.userinfo, and process.cwd — a combination that strongly suggests environment reconnaissance and data exfiltration. The domain wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun was extracted as a potential command-and-control indicator, consistent with out-of-band exfiltration techniques commonly used in npm malware campaigns.
Every advisory in the burst carries a Critical severity rating. The GHSA advisories all use the standard boilerplate warning: any computer with these packages installed should be considered fully compromised, and all secrets and keys stored on that machine must be rotated from a separate, clean device. The MAL advisories corroborate the GHSA entries, with 15 GHSA and 15 MAL advisories published in lockstep — a pattern that indicates coordinated triage and disclosure by the security teams.
All 30 packages were first published on June 11, 2026 — just 17 hours before the disclosure window — meaning they were purpose-built for this attack and had no prior legitimate install base. The download numbers bear this out: sensivity had only 9,200 weekly downloads, tailwindcss-animates-kit had just 4 weekly downloads. These packages were caught early, before they could accumulate a large victim pool.
Developers should immediately audit their package-lock.json and node_modules for any of the affected names: sensivity, routing-controls, swagger-express-routes, tailwindcss-animotion, react-photo-views, tw-fluid-type, clsx-tailwind, rate-limit-flexible, rate-limits-flexible, sass-formats, sass-format, tailwindcss-animates-kit, tailwindcss-merge, tailwindcss-animatics, typeorm-encrypt, and @whatnot-web/www-legacy. If any are found, rotate all credentials stored on the affected machine from a clean device.
This burst exemplifies a growing trend: automated typosquatting campaigns that flood registries with dozens of lookalike packages in minutes, exploiting developer typos and dependency confusion. The 26-minute window and the uniform 17-hour gap between publication and takedown suggest a single operator using automated tooling to register, publish, and distribute these packages before detection systems caught up. The mix of GHSA and MAL advisories also reflects the dual-track disclosure pipeline now standard for npm malware — with GitHub Security Advisories and the OpenSSF Malware Database working in parallel to flag and remove threats.