Malicious Postinstall Hook Found in 700 GitHub Repos, Including Node Projects
882542F3884314B
11 points
4 comments
May 23, 2026
Related Discussions
Found 5 related stories in 95.2ms across 8,303 title embeddings via pgvector HNSW
- GitHub confirms breach of 3,800 repos via malicious VSCode extension Timofeibu · 702 pts · May 20, 2026 · 59% similar
- Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised theanonymousone · 369 pts · May 19, 2026 · 55% similar
- Supply-chain attack using invisible code hits GitHub and other repositories tannhaeuser · 14 pts · March 15, 2026 · 55% similar
- New Attack "Megaladon" Compromises 5.5K+ GitHub Repos theanonymousone · 46 pts · May 23, 2026 · 54% similar
- Someone bought 30 WordPress plugins and planted a backdoor in all of them speckx · 836 pts · April 13, 2026 · 54% similar
Discussion Highlights (4 comments)
gnabgib
All Composer packages (but the malicious part is in the node dependency) Effected* > Use effect as a noun to refer to a change resulting from something.
tedchs
How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?
nullsex
Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.
kspetkov79
Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.