Is this package compromised?
Track malicious releases, account takeovers, typosquatting, dependency confusion, and worms.
Active issues (7d)
Incidents (90d)
Less More
Volume by ecosystem (30d)
Reported packages
| Package | Ecosystem | Status | Attack Type | ||
|---|---|---|---|---|---|
| semantic-router | pypi | Compromised | Build pipeline | 1 | 17d ago |
| @cap-js/openapi | npm | Compromised | Worm | 1 | 39d ago |
| @cap-js/postgres | npm | Compromised | Worm | 1 | 54d ago |
| @cap-js/db-service | npm | Compromised | Worm | 1 | 54d ago |
| @cap-js/sqlite | npm | Compromised | Worm | 1 | 54d ago |
| @beproduct/nestjs-auth | npm | Compromised | Script abuse | 1 | 55d ago |
| guardrails-ai | pypi | Compromised | Malicious version | 1 | 55d ago |
| @opensearch-project/opensearch | npm | Compromised | Malicious version | 1 | 55d ago |
| @mistralai/mistralai-azure | npm | Compromised | Worm | 1 | 56d ago |
| @mistralai/mistralai | npm | Compromised | Worm | 1 | 56d ago |
| @mistralai/mistralai-gcp | npm | Compromised | Worm | 1 | 56d ago |
| mistralai | pypi | Compromised | Malicious version | 1 | 56d ago |
| @tanstack/react-router-devtools | npm | Compromised | Malicious version | 1 | 63d ago |
| @tanstack/arktype-adapter | npm | Compromised | Malicious version | 1 | 63d ago |
| @tanstack/router-plugin | npm | Compromised | Malicious version | 1 | 63d ago |
| @tanstack/react-router-ssr-query | npm | Compromised | Malicious version | 1 | 63d ago |
| @tanstack/eslint-plugin-router | npm | Compromised | Malicious version | 1 | 63d ago |
| @tanstack/react-start-rsc | npm | Compromised | Malicious version | 1 | 63d ago |
| @tanstack/router-ssr-query-core | npm | Compromised | Malicious version | 1 | 63d ago |
| @tanstack/eslint-plugin-start | npm | Compromised | Malicious version | 1 | 63d ago |
Live feed
Q2 2026 Open Source Malware Index
Research 4d ago
Miasma Returns: Leo Platform Compromise in npm
Incident 18d ago
When a vendor's breach becomes yours: lessons from the Klue incident
Incident 21d ago
easy-day-js Targets Mastra, Dependency Attacks Grow
Incident 26d ago
Atomic Arch npm Campaign Adds Malicious Dependency
Incident 32d ago
New Shai-Hulud Miasma Wave Hits Hundreds of npm Packages
Incident 39d ago
Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp
Incident 40d ago
Lazarus Group's Latest: Brandjacking Campaign on npm
Incident 40d ago
Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt Injection
Incident 42d ago
Red Hat Cloud Services npm Packages Hijacked
Incident 42d ago
Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages
Incident 43d ago
Laravel Lang Supply Chain Advisory
Advisory 51d ago
Hijacked npm Package Attempts to Deliver PolinRider-Linked RAT
Incident 53d ago
The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised
Incident 55d ago
Shai-Hulud is Back: Maintainer Accounts Are Still the Soft Target
Research 55d ago
Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account
Incident 56d ago
Malicious node-ipc versions published to npm in suspected maintainer account compromise
Incident 60d ago
How to Build a Software Supply Chain Security Playbook
Policy 61d ago