npm: 10 Malicious Packages Dropped in 21-Minute Coordinated Campaign
Key findings • All 10 malicious npm packages were disclosed within a 21-minute window on June 16, 2026 • Every package was registered within 3 days of disclosure, most within hours • No s…
Key findings
- All 10 malicious npm packages were disclosed within a 21-minute window on June 16, 2026
- Every package was registered within 3 days of disclosure, most within hours
- No shared naming pattern — packages impersonate Vite, React, Chai, Tailwind, and AI/LLM tooling
- Three C2 domains identified: api.easyllm.ai, avamnrwqo7.rbmock.dev, and fixars.top
- Download counts were low (145–430/week), indicating early detection before widespread adoption
- The rapid multi-package drop with diverse naming suggests automated tooling designed to evade pattern-based detection
On June 16, 2026, ten malicious npm packages were disclosed in a coordinated takedown spanning just 21 minutes — from 22:09 to 22:30 UTC. Every single package had been registered within the preceding three days, and most were published mere hours before the malware reports landed. The tight clustering of both the registration dates and the disclosure timestamps points to a single actor or group pushing a batch of weaponized packages into the npm registry in one rapid drop.
Package Naming and Impersonation Strategy
The ten packages share no obvious prefix, scope, or suffix — there is no single campaign name to point to. Instead, the names read like a grab-bag of plausible-sounding developer utilities, each crafted to blend into a typical JavaScript project's dependency tree. Representative names include vite-config-field and react-vite-assert (impersonating Vite ecosystem tooling), chai-test-mocks (masquerading as a Chai testing helper), tw-theme-kit (suggesting Tailwind CSS theming), ssr-auth-sync (posing as a server-side rendering auth module), mci-sdk and package-uploader (generic devops-sounding names), aillmgen (evoking AI/LLM code generation), bubblestr, and backoffice-charges-module. The diversity of naming suggests automated name generation or a scattershot approach rather than a single typosquatting theme — the attacker appears to be casting a wide net across different developer interests.
All ten packages were brand-new registry entries. backoffice-charges-module, ssr-auth-sync, package-uploader, mci-sdk, and aillmgen were each first published on June 16, 2026 — the same day as the disclosure — with gaps ranging from 6 to 17 hours between publication and takedown. bubblestr and vite-config-field were registered on June 15, and tw-theme-kit on June 13. The download counts where available are tiny (145–430 per week), indicating the packages were flagged and removed before they could accumulate significant install bases.
Malicious Behavior and Infrastructure
OpenSSF Package Analysis flagged behavioral indicators across the batch. Several packages were observed communicating with external domains. Among the extracted indicators of compromise, three domains stand out as likely command-and-control or exfiltration endpoints: api.easyllm.ai, avamnrwqo7.rbmock.dev, and fixars.top. The api.easyllm.ai domain is particularly notable given the aillmgen package name, suggesting the attacker may have themed at least one lure around AI developer tooling to entice installations. The rbmock.dev subdomain follows a pattern of randomized subdomains (avamnrwqo7) commonly seen in automated C2 infrastructure. Additional code-level indicators — references to exec.js, config.js, dev.apikey, and data.config — hint at credential harvesting and arbitrary command execution capabilities, though full behavioral reports are not publicly detailed for every package in the set.
Severity and Impact
The GitHub Security Advisories associated with these packages carry the standard severity language for compromised npm packages: any machine that installed or ran one of these packages should be treated as fully compromised. Secrets, API keys, environment variables, and authentication tokens present on affected systems may have been exfiltrated to the attacker's infrastructure. While the low download counts suggest limited immediate blast radius, the packages were live on the registry for hours to days — enough time for automated dependency resolution in CI/CD pipelines to pull them in unknowingly.
What Developers Should Do
Audit your package-lock.json, yarn.lock, or pnpm-lock.yaml files for any of the following package names:
aillmgenbackoffice-charges-modulebubblestrchai-test-mocksmci-sdkpackage-uploaderreact-vite-assertssr-auth-synctw-theme-kitvite-config-field
If any of these appear in your dependency tree, rotate all secrets and credentials from a clean machine. Check your npm account's access token and audit logs for any unauthorized package publishes — especially if you maintain packages with names resembling any of the above. Block the domains api.easyllm.ai, avamnrwqo7.rbmock.dev, and fixars.top at your network perimeter and in DNS filtering.
Broader Context
This 21-minute disclosure burst fits a well-established pattern of coordinated malicious package drops on npm. Attackers increasingly favor rapid, multi-package publishing runs — often using automation to register dozens of packages in a short window — betting that at least a few will evade detection long enough to compromise developer workstations or CI/CD environments. The absence of a single naming theme in this burst may itself be a deliberate evasion tactic: without a shared prefix or scope, automated detection rules that rely on package-name clustering are less effective. The quick takedown — all ten packages were disclosed and removed within half an hour — reflects the growing speed of malware detection pipelines, but the hours-long gap between publication and flagging remains a window of exposure that developers should not rely on registry defenses alone to close.