npm · Malicious package advisory
Malware@ctrl/plex
MAL-2026-4377
Malicious code in @ctrl/plex (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568) The @ctrl/* npm scope was compromised in the Shai-Hulud supply-chain incident (September 2025). Versions of @ctrl/plex published during and after the compromise window have been observed shipping credential-harvesting payloads that exfiltrate developer secrets (npm tokens, GitHub tokens, cloud credentials, SSH keys) and self-propagate by republishing other packages owned by the same maintainer. @ctrl/plex@6.0.0 falls within the affected version range for this scope. Installing this version is expected to execute attacker-controlled code that harvests installer credentials and attempts further package compromise.
Compromised versions (1)
- 6.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.