Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsAvoid using all malicious instances of the @tinyfox/shapecheck package.
@tinyfox/shapecheck is a malicious package.
This package contains malicious code and is part of a coordinated npm supply-chain campaign. It ships an obfuscated postinstall payload that downloads and executes a Rust-compiled infostealer binary.
Impact
The infostealer targets crypto wallets, browser credentials, cloud tokens, SSH keys, and developer credentials (npm, .env, GitHub/PyPI tokens). It installs persistence via a disguised systemd service and exfiltrates data over Telegram or HTTP. Some versions trigger at runtime, allowing the payload to survive --ignore-scripts.
Note
This package is part of a larger campaign, involving many packages published from disposable @wshu.net accounts.
This actor has also been linked to attempts to compromise AI-powered workflows.
Malicious versions were hidden behind scrubbed latest tags, so treat all versions as untrusted.