Ecosystem	Package	Version

Vulnerabilities

sonatype-2026-000408

sonatype-2026-000408

Malicious Packages - Thu Feb 12 2026 [Lazarus] [Dropper]

Published Feb 12, 2026

https://help.sonatype.com/en/sonatype-malware-data.html

CVSS ScoreHigh

8.7

Ecosystem	Package	Version


npm	chai-as-prompt	1.2.7
npm	chai-as-prop	1.1.7
npm	chai-as-prop	5.1.7
npm	chai-as-sync	1.1.7
npm	chai-async	1.1.7
npm	chai-auth	5.1.0
npm	chai-await	2.4.5
npm	chai-await-cli	2.3.5
npm	chai-bin	1.1.7
npm	chai-cli	2.4.5
npm	chai-cli-async	3.3.5
npm	chai-cli-await	2.4.5
npm	chai-cli-sinon	2.4.5
npm	chai-conf	1.1.7
npm	chai-dev	1.1.9
npm	chai-grab	1.1.7
npm	chai-iotype	1.1.7
npm	chai-mui	1.1.9
npm	chai-nerd	1.1.7
npm	chai-pack	1.1.7
npm	chai-pack	1.1.9
npm	chai-pack	5.1.0
npm	chai-patch	1.1.7
npm	chai-patch	1.1.9
npm	chai-promised-plugin	2.3.5
npm	chai-prop	1.1.7
npm	chai-proto	1.1.7
npm	chai-reg	1.1.9
npm	chai-set	1.1.9
npm	chai-sub	1.1.7
npm	chai-sync	1.1.9
npm	chai-type	5.1.0
npm	chai-types	1.1.7
npm	chai-vest	1.1.9
npm	chain-cli-promised	2.3.5
npm	chain-promised	2.3.5
npm	chain-promised-async	3.5.5
npm	chain-promised-await	3.5.5
npm	chain-promised-cli	3.3.5
npm	chain-test-await	2.5.5
npm	dotenv-cli-node	2.4.5
npm	dotenv-int	3.5.5
npm	dotenv-node-cli	3.3.5
npm	dotenv-node-promised	2.3.5
npm	dotenv-plugin	2.3.5
npm	dotenv-promised	2.3.5
npm	dotenv-xtend	2.5.5
npm	dotenvx-int	3.5.5
npm	dotenvx-node-cli	2.4.5
npm	env-extend	2.5.5

sonatype-2026-000408 | Components Impacted | Sonatype Guide | Sonatype Guide