npm: 40 Packages Including 'ai-sdk-ollama' Hijacked in Coordinated Attack

Key findings

• A coordinated sweep on June 5, 2026, removed 40 malicious npm packages at the exact same instant
• The campaign targeted established packages, including 'ai-sdk-ollama' which has over 37,000 weekly downloads
• Affected package suites include 'autotel', 'awaitly', '@ethlete', and 'executable-stories'
• Longevity of packages like '@ethlete/core' (3.7 years old) points to maintainer account compromises
• The presence of 'binding.gyp' suggests potential native code execution during package installation

Coordinated Takedown on npm\n\nOn June 5, 2026, at 00:53 UTC, the npm security team executed a massive, simultaneous takedown of 40 malicious packages. Unlike typical typosquatting campaigns that rely on newly registered names, this coordinated burst targeted established packages, many of which have been active on the registry for months or years. Among the affected packages is ai-sdk-ollama, a popular library drawing over 37,000 weekly downloads, which was first published ten months ago. The simultaneous disclosure of all 40 advisories points to a sweeping, automated cleanup of a widespread compromise.\n\n## Targeted Package Clusters\n\nThe list of hijacked packages reveals several distinct, highly structured clusters rather than random ad-hoc names. These include the autotel family (such as autotel, autotel-edge, autotel-tanstack, and autotel-vitest), the awaitly suite (including awaitly, awaitly-analyze, and awaitly-postgres), and the @ethlete scoped packages (such as @ethlete/cdk, @ethlete/components, and @ethlete/core). Additionally, testing utility suites like executable-stories-jest and their corresponding ESLint plugins (e.g., eslint-plugin-executable-stories-vitest) were compromised. The longevity of these packages—with @ethlete/core first published over three and a half years ago—strongly suggests a series of maintainer account takeovers or credential leaks rather than a typosquatting campaign.\n\n## Behavioral Indicators and Native Code Execution\n\nThe malicious versions introduced into these packages, such as version 3.8.5 of ai-sdk-ollama and version 1.13.27 of autotel-tanstack, contained malicious payloads designed to compromise host environments. While specific behavioral analysis details are limited, the inclusion of binding.gyp in the extracted indicators suggests the malware may have attempted to compile native C/C++ addons during the installation phase. This technique is frequently used by threat actors to execute arbitrary code or bypass standard JavaScript-level runtime monitoring during the postinstall lifecycle hook of npm packages.\n\n## Critical Severity and Downstream Impact\n\nThe severity of this compromise is critical. Because these packages are integrated into active development pipelines and production environments, any system that installed the compromised versions must be treated as fully compromised. The malicious updates have the potential to exfiltrate environment variables, access sensitive API tokens, and establish persistent backdoors on developer workstations and build servers. Security advisories warn that developers who have pulled these specific versions should immediately rotate all secrets, credentials, and access tokens from an uncompromised machine.\n\n## Detection and Remediation\n\nTo mitigate the risk, developers are urged to audit their dependency trees and package-lock.json files for any of the affected packages. Specifically, check for the compromised versions of:\n\n* ai-sdk-ollama (version 3.8.5 or other affected releases)\n* autotel-tanstack (version 1.13.27)\n* awaitly-postgres (version 19.1.1)\n* @ethlete/core (version 4.31.1)\n* executable-stories-jest (version 8.3.2)\n\nIf any of these packages or versions are detected, they should be removed immediately. Developers should also review their npm registry publish tokens and audit access logs for any unauthorized package releases.\n\n## Broader Context\n\nThis incident highlights an ongoing shift in supply chain attacks, where threat actors increasingly target existing, trusted packages with established user bases rather than relying solely on typosquats. By compromising maintainer credentials or exploiting weak authentication mechanisms, attackers can instantly distribute malicious payloads to thousands of downstream users. The rapid, simultaneous takedown of all 40 packages by npm administrators underscores the critical role of automated registry-level monitoring in limiting the blast radius of such coordinated campaigns.