Malicious Package Affecting app-config-utility package, versions *
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-APPCONFIGUTILITY-17130896
- published2 Jun 2026
- disclosed1 Jun 2026
Introduced: 1 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the app-config-utility package.
Overview
app-config-utility is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those legitimate projects and this package's authorship. This package is part of a broader supply chain attack published under the threat actor alias ״vpmdhaj״. Upon installation, it automatically executes a script via npm lifecycle hooks to harvest sensitive cloud and CI/CD credentials, including AWS tokens, HashiCorp Vault secrets, and npm publish keys, from the host environment.