Malicious Package Affecting graphbase-js package, versions *

Q: How to fix?

Avoid using all malicious instances of the graphbase-js package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-GRAPHBASEJS-16321534
published29 Apr 2026
disclosed28 Apr 2026
creditReversingLabs

Report a new vulnerability Found a mistake?

Introduced: 28 Apr 2026

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the graphbase-js package.

Overview

graphbase-js is a malicious package. This package contains malicious code, and its content was not yet removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

Malware Behavior

This package is linked to Contagious Interview campaign and the fraudulent IT Worker scam according to ReversingLabs. The attack uses a multi-layered approach, where the first layer packages don’t contain the malicious code, but import the second layer packages that contain the malicious functionality. The latter packages are disposable and easily replaced once detected or removed from npm.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None