Snyk Security Database

void-ulid is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicious releases were published through a compromised maintainer account of a legitimate project as part of a broader credential theft campaign. The malicious functionality was not part of the original software and does not reflect the intent of the project's maintainers.

The malicious release abuses Python startup hooks (.pth files) to execute code automatically when Python starts, download additional payloads, and attempt to collect developer, cloud, CI/CD, and other sensitive credentials from affected systems. The main malicious payload is contained in _index.js, which runs on the javascript Bun runtime. The campaign targets a wide range of secrets, including source-control tokens, package publishing credentials, cloud access keys, SSH keys, and local configuration files.

Note:

Malicious versions may still be available on PyPI at the time of analysis; users should verify installed versions, remove affected releases where possible, and rotate any potentially exposed credentials.

Affected versions of this package are vulnerable to Incorrect Check of Function Return Value in the "second factor" flow where FinishAssertionSteps fails to cross-check the verified credential handle against the requested username when a userHandle is not found for that username during the initial lookup. An attacker can gain unauthorized access by exploiting this flaw to impersonate another user.