VYPR
supply-chainPublished Jun 19, 2026· Updated Jun 27, 2026· 1 source

npm: 16 Malicious Packages in Coordinated 20-Minute Drop Impersonate Ethereum, MongoDB, and TypeScript Tooling

Key findings • All 16 packages were registered and disclosed on the same day (June 19, 2026), indicating a disposable-account attack pattern • The packages fall into three thematic clusters: …

Key findings

  • All 16 packages were registered and disclosed on the same day (June 19, 2026), indicating a disposable-account attack pattern
  • The packages fall into three thematic clusters: 'ecro' TypeScript utilities, Ethereum developer tooling, and MongoDB/logging libraries
  • Every advisory carries a Critical severity rating; 10 were issued via GHSA and 6 via MAL, with several packages receiving dual coverage
  • The entire burst was disclosed within a 20-minute window (08:08–08:28 UTC), suggesting automated detection caught the batch near-simultaneously
  • Packages like ethereum-gas-reporter and mongoose-jsonify impersonate legitimate tooling familiar to Solidity and MongoDB developers

On June 19, 2026, sixteen malicious npm packages were disclosed in a tightly coordinated 20-minute window — all sixteen advisories landing between 08:08 and 08:28 UTC. Every package was registered on the very same day it was caught, indicating a rapid detection-and-takedown response to a fresh batch of malicious publications. No single naming convention unites the entire set, but the packages fall into three distinct thematic clusters that together paint a picture of a multi-pronged impersonation campaign targeting JavaScript and Ethereum developers.

Three Thematic Clusters

The largest cluster revolves around the cryptic ecro stem. Five packages — ts-ecro-helper, new-ecro, ts-ecro, ts-big-ecro, and ts-esys — all carry the same ts- prefix and ecro root, suggesting a fabricated namespace designed to resemble legitimate TypeScript utility libraries. Each of these packages drew between 18 and 51 weekly downloads in its brief lifespan, with ts-esys and ts-ecro-helper attracting the most attention.

A second cluster impersonates Ethereum developer tooling. eth-util mimics a common Ethereum utility module, while ethereum-gas-reporter (version 0.2.27 in the MAL advisory) poses as a gas-reporting tool familiar to Solidity developers. Alongside them sits assert-kit (version 4.3.2), a name that evokes testing and assertion libraries — a staple of any JavaScript project's devDependencies. These three packages, disclosed at 08:08 UTC, formed the leading edge of the burst.

The third cluster targets the MongoDB and logging ecosystems. mongoose-jsonify impersonates a Mongoose plugin for JSON serialization, while pretty-logger-js masquerades as a logging utility. Both were disclosed at 08:10 UTC, just two minutes after the Ethereum-themed batch.

Severity and Risk

Every advisory in this burst carries a Critical severity rating under the GitHub Security Advisory (GHSA) framework. In the GHSA taxonomy, Critical is reserved for packages where the malware achieves full compromise of the host — the standard guidance is that any machine which installed these packages should be treated as fully compromised, with all secrets and credentials rotated from a clean device. Ten of the sixteen disclosures came through GHSA, with the remaining six issued as MAL advisories; several packages received dual coverage from both sources, including ts-ecro-helper, ts-esys, mongoose-jsonify, assert-kit, eth-util, and ethereum-gas-reporter.

Fresh Registrations, Rapid Takedown

All sixteen packages share a critical temporal signature: each was first published to the npm registry on June 19, 2026 — the same day the advisories were published. This is the hallmark of a disposable-account attack pattern, where threat actors register packages, publish malicious versions, and expect them to be taken down quickly. The fact that the entire batch was flagged and disclosed within a single 20-minute window suggests automated detection pipelines caught the malicious behavior almost immediately after publication. No package in this set had accumulated more than a few hundred total downloads, limiting the blast radius — though the impersonation of Ethereum tooling is particularly concerning given the value of wallet credentials and private keys that developers in that ecosystem routinely handle.

What Developers Should Do

If you installed any npm package on June 19, 2026, audit your package-lock.json or yarn.lock for the following names:

  • ts-ecro-helper, new-ecro, ts-ecro, ts-big-ecro, ts-esys
  • eth-util, ethereum-gas-reporter, assert-kit
  • mongoose-jsonify, pretty-logger-js

If any of these appear in your dependency tree, assume the host is compromised. Rotate all environment variables, API keys, and npm tokens from a separate, clean machine. For Ethereum developers specifically, treat any private key or mnemonic that was accessible on an affected machine as exposed, and move funds immediately.

Broader Context

This burst fits a well-established pattern of disposable-name campaigns on npm, where attackers register packages with names that resemble legitimate libraries — either through typosquatting or through plausible-sounding fabricated names — and rely on developers' muscle memory during npm install to gain a foothold. The three-cluster structure seen here, spanning Ethereum, MongoDB, and generic TypeScript tooling, suggests an attacker casting a wide net across different developer communities in a single automated push. The 20-minute disclosure window also demonstrates that npm's malware detection infrastructure can now identify and remove entire coordinated batches at speed, though the arms race between publishers and defenders continues to accelerate.

Synthesized by Vypr AI