Malicious Package Affecting typescript-nhost package, versions *

Q: How to fix?

Avoid using all malicious instances of the typescript-nhost package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-TYPESCRIPTNHOST-15477135
published12 Mar 2026
disclosed12 Mar 2026
creditKiran Raj, Rachana Misal

Report a new vulnerability Found a mistake?

Introduced: 12 Mar 2026

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the typescript-nhost package.

Overview

typescript-nhost is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it.

Malicious Behavior

The package uses Remote Dynamic Dependencies (RDD) to avoid detection. Instead of embedding malicious code directly into the npm registry, its package.json lists an external URL as a dependency. During a regular npm install, npm quietly downloads and runs a secondary payload from an attacker-controlled server. After execution, the malware collects and sends sensitive data, including developer email addresses from .gitconfig and .npmrc files, system fingerprints, and CI/CD tokens.

References

Research Blog

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None