<\/a><\/p>\nThe most dangerous phase of the attack is the autonomous spreading routine. The malware scans\u00a0.npmrc<\/code>\u00a0files across the project directory, the user\u2019s home folder, and system-wide configuration paths, searching for\u00a0_authToken<\/code>\u00a0values. <\/p>\nIt also reads the\u00a0NPM_TOKEN<\/code>\u00a0and\u00a0NPM_TOKENS<\/code>\u00a0environment variables. With those stolen credentials, a built-in\u00a0deploy.js<\/code>\u00a0script queries the npm registry, locates every package the victim maintains, increments each one\u2019s patch version number, and publishes the tainted update automatically.<\/p>\nKnown Compromised Packages:-<\/p>\n\n\n\n\nPackage Name<\/th>\n Compromised Version(s)<\/th>\n JFrog X-ray ID<\/th>\n<\/tr>\n<\/thead>\n \n\n@pypestream\/floating-ui-dom<\/code><\/td>\n2.15.1<\/td>\n XRAY-955001<\/td>\n<\/tr>\n \n@leafnoise\/mirage<\/code><\/td>\n2.0.3<\/td>\n XRAY-954938<\/td>\n<\/tr>\n \n@opengov\/ppf-backend-types<\/code><\/td>\n1.141.2<\/td>\n XRAY-954962<\/td>\n<\/tr>\n \neslint-config-ppf<\/code><\/td>\n0.128.2<\/td>\n XRAY-954936<\/td>\n<\/tr>\n \nreact-leaflet-marker-layer<\/code><\/td>\n0.1.5<\/td>\n XRAY-954942<\/td>\n<\/tr>\n \nreact-leaflet-cluster-layer<\/code><\/td>\n0.0.4<\/td>\n XRAY-954943<\/td>\n<\/tr>\n \nreact-autolink-text<\/code><\/td>\n2.0.1<\/td>\n XRAY-954959<\/td>\n<\/tr>\n \nopengov-k6-core<\/code><\/td>\n1.0.2<\/td>\n XRAY-954926<\/td>\n<\/tr>\n \njest-preset-ppf<\/code><\/td>\n0.0.2<\/td>\n XRAY-954956<\/td>\n<\/tr>\n \ncit-playwright-tests<\/code><\/td>\n1.0.1<\/td>\n XRAY-954934<\/td>\n<\/tr>\n \neslint-config-service-users<\/code><\/td>\n0.0.3<\/td>\n XRAY-954950<\/td>\n<\/tr>\n \nbabel-plugin-react-pure-component<\/code><\/td>\n0.1.6<\/td>\n XRAY-954955<\/td>\n<\/tr>\n \n@opengov\/form-renderer<\/code><\/td>\n0.2.20<\/td>\n XRAY-955058<\/td>\n<\/tr>\n \n@opengov\/qa-record-types-api<\/code><\/td>\n1.0.3<\/td>\n XRAY-954970<\/td>\n<\/tr>\n \n@opengov\/form-builder<\/code><\/td>\n0.12.3<\/td>\n XRAY-954953<\/td>\n<\/tr>\n \n@opengov\/ppf-eslint-config<\/code><\/td>\n0.1.11<\/td>\n XRAY-954967<\/td>\n<\/tr>\n \n@opengov\/form-utils<\/code><\/td>\n0.7.2<\/td>\n XRAY-954958<\/td>\n<\/tr>\n \nreact-leaflet-heatmap-layer<\/code><\/td>\n2.0.1<\/td>\n XRAY-954931<\/td>\n<\/tr>\n \n@virtahealth\/substrate-root<\/code><\/td>\n1.0.1<\/td>\n XRAY-955055<\/td>\n<\/tr>\n \n@airtm\/uuid-base32<\/code><\/td>\n1.0.2<\/td>\n XRAY-954937<\/td>\n<\/tr>\n \n@emilgroup\/setting-sdk<\/code><\/td>\n0.2.3, 0.2.2, 0.2.1<\/td>\n XRAY-955067<\/td>\n<\/tr>\n \n@emilgroup\/partner-portal-sdk<\/code><\/td>\n1.1.3, 1.1.2, 1.1.1<\/td>\n XRAY-955063<\/td>\n<\/tr>\n \n@emilgroup\/gdv-sdk-node<\/code><\/td>\n2.6.3, 2.6.2, 2.6.1<\/td>\n XRAY-955060<\/td>\n<\/tr>\n \n@emilgroup\/docxtemplater-util<\/code><\/td>\n1.1.4, 1.1.3, 1.1.2<\/td>\n XRAY-955062<\/td>\n<\/tr>\n \n@emilgroup\/accounting-sdk<\/code><\/td>\n1.27.3, 1.27.2, 1.27.1<\/td>\n XRAY-955054<\/td>\n<\/tr>\n \n@emilgroup\/task-sdk<\/code><\/td>\n1.0.4, 1.0.3, 1.0.2<\/td>\n XRAY-955056<\/td>\n<\/tr>\n \n@emilgroup\/setting-sdk-node<\/code><\/td>\n0.2.3, 0.2.2, 0.2.1<\/td>\n XRAY-955064<\/td>\n<\/tr>\n \n@emilgroup\/task-sdk-node<\/code><\/td>\n1.0.4, 1.0.3, 1.0.2<\/td>\n XRAY-954923<\/td>\n<\/tr>\n \n@emilgroup\/partner-sdk<\/code><\/td>\n1.19.3, 1.19.2, 1.19.1<\/td>\n XRAY-955065<\/td>\n<\/tr>\n \n@emilgroup\/numbergenerator-sdk-node<\/code><\/td>\n1.3.3, 1.3.2, 1.3.1<\/td>\n XRAY-955066<\/td>\n<\/tr>\n \n@emilgroup\/customer-sdk<\/code><\/td>\n1.54.5, 1.54.4, 1.54.3, 1.54.2, 1.54.1<\/td>\n XRAY-954924<\/td>\n<\/tr>\n \n@emilgroup\/commission-sdk<\/code><\/td>\n1.0.3, 1.0.2, 1.0.1<\/td>\n XRAY-955068<\/td>\n<\/tr>\n \n@emilgroup\/process-manager-sdk<\/code><\/td>\n1.4.2, 1.4.1<\/td>\n XRAY-955069<\/td>\n<\/tr>\n \n@emilgroup\/changelog-sdk-node<\/code><\/td>\n1.0.3, 1.0.2<\/td>\n XRAY-955061<\/td>\n<\/tr>\n \n@emilgroup\/document-sdk-node<\/code><\/td>\n1.43.6, 1.43.5, 1.43.4, 1.43.3, 1.43.2, 1.43.1<\/td>\n XRAY-954947<\/td>\n<\/tr>\n \n@emilgroup\/commission-sdk-node<\/code><\/td>\n1.0.3, 1.0.2, 1.0.1<\/td>\n XRAY-955053<\/td>\n<\/tr>\n \n@emilgroup\/document-uploader<\/code><\/td>\n0.0.12, 0.0.11, 0.0.10<\/td>\n XRAY-955057<\/td>\n<\/tr>\n \n@emilgroup\/discount-sdk<\/code><\/td>\n1.5.3, 1.5.2, 1.5.1<\/td>\n XRAY-954929<\/td>\n<\/tr>\n \n@emilgroup\/discount-sdk-node<\/code><\/td>\n1.5.2, 1.5.1<\/td>\n XRAY-955059<\/td>\n<\/tr>\n \n@teale.io\/eslint-config<\/code><\/td>\n1.8.16\u20131.8.9 (8 versions)<\/td>\n XRAY-954945<\/td>\n<\/tr>\n \n@emilgroup\/insurance-sdk<\/code><\/td>\n1.97.6\u20131.97.1 (6 versions)<\/td>\n XRAY-954928<\/td>\n<\/tr>\n \n@emilgroup\/account-sdk<\/code><\/td>\n1.41.2, 1.41.1<\/td>\n XRAY-954949<\/td>\n<\/tr>\n \n@emilgroup\/account-sdk-node<\/code><\/td>\n1.40.2, 1.40.1<\/td>\n XRAY-954927<\/td>\n<\/tr>\n \n@emilgroup\/accounting-sdk-node<\/code><\/td>\n1.26.2, 1.26.1<\/td>\n XRAY-954965<\/td>\n<\/tr>\n \n@emilgroup\/api-documentation<\/code><\/td>\n1.19.2, 1.19.1<\/td>\n XRAY-954960<\/td>\n<\/tr>\n \n@emilgroup\/auth-sdk<\/code><\/td>\n1.25.2, 1.25.1<\/td>\n XRAY-954966<\/td>\n<\/tr>\n \n@emilgroup\/auth-sdk-node<\/code><\/td>\n1.21.2, 1.21.1<\/td>\n XRAY-954964<\/td>\n<\/tr>\n \n@emilgroup\/billing-sdk<\/code><\/td>\n1.56.2, 1.56.1<\/td>\n XRAY-954951<\/td>\n<\/tr>\n \n@emilgroup\/billing-sdk-node<\/code><\/td>\n1.57.2, 1.57.1<\/td>\n XRAY-954948<\/td>\n<\/tr>\n \n@emilgroup\/claim-sdk<\/code><\/td>\n1.41.2, 1.41.1<\/td>\n XRAY-954961<\/td>\n<\/tr>\n \n@emilgroup\/claim-sdk-node<\/code><\/td>\n1.39.2, 1.39.1<\/td>\n XRAY-954925<\/td>\n<\/tr>\n \n@emilgroup\/customer-sdk-node<\/code><\/td>\n1.55.2, 1.55.1<\/td>\n XRAY-954944<\/td>\n<\/tr>\n \n@emilgroup\/document-sdk<\/code><\/td>\n1.45.2, 1.45.1<\/td>\n XRAY-954941<\/td>\n<\/tr>\n \n@emilgroup\/gdv-sdk<\/code><\/td>\n2.6.2, 2.6.1<\/td>\n XRAY-954930<\/td>\n<\/tr>\n \n@emilgroup\/insurance-sdk-node<\/code><\/td>\n1.95.2, 1.95.1<\/td>\n XRAY-954933<\/td>\n<\/tr>\n \n@emilgroup\/notification-sdk-node<\/code><\/td>\n1.4.2, 1.4.1<\/td>\n XRAY-954957<\/td>\n<\/tr>\n \n@emilgroup\/partner-portal-sdk-node<\/code><\/td>\n1.1.2, 1.1.1<\/td>\n XRAY-954952<\/td>\n<\/tr>\n \n@emilgroup\/partner-sdk-node<\/code><\/td>\n1.19.2, 1.19.1<\/td>\n XRAY-954935<\/td>\n<\/tr>\n \n@emilgroup\/payment-sdk<\/code><\/td>\n1.15.2, 1.15.1<\/td>\n XRAY-954963<\/td>\n<\/tr>\n \n@emilgroup\/payment-sdk-node<\/code><\/td>\n1.23.2, 1.23.1<\/td>\n XRAY-954969<\/td>\n<\/tr>\n \n@emilgroup\/process-manager-sdk-node<\/code><\/td>\n1.13.2, 1.13.1<\/td>\n XRAY-954939<\/td>\n<\/tr>\n \n@emilgroup\/public-api-sdk<\/code><\/td>\n1.33.2, 1.33.1<\/td>\n XRAY-954940<\/td>\n<\/tr>\n \n@emilgroup\/public-api-sdk-node<\/code><\/td>\n1.35.2, 1.35.1<\/td>\n XRAY-954946<\/td>\n<\/tr>\n \n@emilgroup\/tenant-sdk<\/code><\/td>\n1.34.2, 1.34.1<\/td>\n XRAY-954932<\/td>\n<\/tr>\n \n@emilgroup\/tenant-sdk-node<\/code><\/td>\n1.33.2, 1.33.1<\/td>\n XRAY-954954<\/td>\n<\/tr>\n \n@emilgroup\/translation-sdk-node<\/code><\/td>\n1.1.2, 1.1.1<\/td>\n XRAY-954968<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<\/a><\/p>\nAnyone running any of the identified compromised package versions should treat their environment as already infected. Developers must immediately rotate all npm publishing tokens stored in\u00a0.npmrc<\/code>\u00a0files, environment variables, and CI\/CD pipeline secrets. <\/p>\nOn Linux, the\u00a0pgmon<\/code>\u00a0service must be stopped and disabled using\u00a0systemctl<\/code>, with its associated service files and directories removed entirely. <\/p>\nThe temporary files\u00a0\/tmp\/pglog<\/code>\u00a0and\u00a0\/tmp\/.pg_state<\/code>\u00a0must be deleted. Affected\u00a0node_modules<\/code>\u00a0directories should be purged and rebuilt from scratch using verified, safe package versions. <\/p>\n