Ecosystem	Package	Version

Vulnerabilities

sonatype-2026-000061

sonatype-2026-000061

Malicious Packages - Thu Jan 08 2026 [Credential Info Stealer/ Env Variables SSH Crypto] [Loader]

Published Jan 8, 2026

https://help.sonatype.com/en/sonatype-malware-data.html https://osv-vulnerabilities.storage.googleapis.com/npm/MAL-2026-405.json https://osv-vulnerabilities.storage.googleapis.com/npm/MAL-2026-410.json https://osv-vulnerabilities.storage.googleapis.com/npm/MAL-2026-412.json https://osv-vulnerabilities.storage.googleapis.com/npm/MAL-2026-416.json https://osv-vulnerabilities.storage.googleapis.com/npm/MAL-2026-432.json https://osv-vulnerabilities.storage.googleapis.com/npm/MAL-2026-433.json

CVSS ScoreHigh

7.1

Ecosystem	Package	Version


npm	analytics-browser	1.0.1
npm	anchor-solana	1.0.0
npm	anthropic-sdk	0.0.1-security
npm	anthropic-sdk	1.0.1
npm	auth-types	1.0.1
npm	babel-js	1.0.1
npm	better-sqlite3.js	1.0.1
npm	bluebird.js	1.0.1
npm	body-parser-js	1.0.1
npm	clerk-js	0.0.1-security
npm	clerk-js	1.0.1
npm	client-lambda	1.0.1
npm	client-s3	1.0.1
npm	client-s3	1.0.2
npm	connect-web	0.0.1-security
npm	connect-web	1.0.1
npm	connect-web	2.0.3-beta.0
npm	cookie-parser.js	1.0.1
npm	experimental-utils	1.0.1
npm	firestore-types	1.0.1
npm	framer-motion-js	1.0.1
npm	gradle-plugin	1.0.1
npm	gulp.js	1.0.1
npm	huggingface-js	1.0.1
npm	hw-app-eth	0.0.1-security
npm	hw-app-eth	1.0.1
npm	immer-js	1.0.1
npm	inquirer-js	1.0.1
npm	ioredis.js	1.0.1
npm	jsdom-js	1.0.1
npm	knex.js	1.0.1
npm	llamaindex-js	1.0.1
npm	luxon-js	1.0.1
npm	milvus-js	1.0.1
npm	morgan.js	1.0.1
npm	mysql2.js	1.0.1
npm	nanoid-js	1.0.1
npm	openzeppelin-sdk	1.0.0
npm	pako-js	1.0.1
npm	pinecone-js	1.0.1
npm	plugin-react-swc	1.0.1
npm	plugin-vue	1.0.1
npm	pump.js	1.0.1
npm	qdrant-js	1.0.1
npm	react-hook-form-js	1.0.1
npm	react-query-js	1.0.0
npm	replicate-js	1.0.1
npm	rxjs-js	1.0.1
npm	sign-client	1.0.1
npm	storage-types	1.0.1

sonatype-2026-000061 | Components Impacted | Sonatype Guide | Sonatype Guide