VYPR

npm · Malicious package advisory

Malware

@ctrl/plex

MAL-2026-4377

Malicious code in @ctrl/plex (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568)
The @ctrl/* npm scope was compromised in the Shai-Hulud supply-chain incident (September 2025). Versions of @ctrl/plex published during and after the compromise window have been observed shipping credential-harvesting payloads that exfiltrate developer secrets (npm tokens, GitHub tokens, cloud credentials, SSH keys) and self-propagate by republishing other packages owned by the same maintainer. @ctrl/plex@6.0.0 falls within the affected version range for this scope. Installing this version is expected to execute attacker-controlled code that harvests installer credentials and attempts further package compromise.

Compromised versions (1)

  • 6.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.