Malicious Package Affecting @cloudplatform-single-spa/evocs package, versions =99.99.99
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-CLOUDPLATFORMSINGLESPAEVOCS-17116289
- published1 Jun 2026
- disclosed31 May 2026
Introduced: 31 May 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the @cloudplatform-single-spa/evocs package.
Overview
@cloudplatform-single-spa/evocs is a malicious package.
This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.
The package belongs to a highly targeted dependency confusion campaign. It utilizes npm postinstall hooks to trigger a multi-stage attack, incorporating an execution delay to evade sandboxes, downloading a secondary script, and exfiltrating full environment variables containing sensitive development secrets to an external command-and-control server.