Malicious Package Affecting ansi-universal-ui package, versions *

Q: How to fix?

Avoid using all malicious instances of the ansi-universal-ui package.

Threat Intelligence

Trending on 𝕏

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-ANSIUNIVERSALUI-15130591
published28 Jan 2026
disclosed23 Jan 2026
creditCharlie Eriksen

Report a new vulnerability Found a mistake?

Introduced: 23 Jan 2026

Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the ansi-universal-ui package.

Overview

ansi-universal-ui is a malicious package. This package contains malicious code, and it has been removed from the official package manager.

The package sets up a standalone Python runtime and downloads an obfuscated payload from an Appwrite storage bucket that, upon execution, performs an extensive search for sensitive user data, including browser and cloud credentials, cryptocurrency wallets, and messaging platform tokens.

Mitigations:

Remove the package from your project and delete node_modules.
Check for the .gwagon_status file in your home directory (if it exists, you were likely infected);
Rotate all browser-saved passwords;
Rotate AWS/Azure/GCP credentials if you use those CLIs;
Regenerate SSH keys;
Invalidate Discord and Telegram sessions.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None