Malicious Postinstall Hook Found in 700 GitHub Repos, Including Node Projects
882542F3884314B
11 points
4 comments
May 23, 2026
Related Discussions
Found 5 related stories in 797.6ms across 14,015 title embeddings via pgvector HNSW
- I found 10k GitHub repositories distributing Trojan malware theorchid · 735 pts · June 18, 2026 · 62% similar
- GitHub confirms breach of 3,800 repos via malicious VSCode extension Timofeibu · 702 pts · May 20, 2026 · 59% similar
- GitHub nukes 70 Microsoft repos, breaks pipelines, suspected worm infections beardyw · 11 pts · June 08, 2026 · 58% similar
- Malicious npm packages detected across Red Hat Cloud Services kurmiashish · 740 pts · June 01, 2026 · 56% similar
- Supply chain attack alert: .github/setup.js antihero · 20 pts · June 05, 2026 · 55% similar
Discussion Highlights (4 comments)
gnabgib
All Composer packages (but the malicious part is in the node dependency) Effected* > Use effect as a noun to refer to a change resulting from something.
tedchs
How many more examples of malware postinstall scripts do we need before Node quits running them by default, without warning?
nullsex
Title is somewhat misleading. "Node projects" mean projects using nodejs as opposed to projects under the Node.js org.
kspetkov79
Postinstall hooks are a footgun. The bad part here is that people reviewing a PHP package may not even look closely at package.json.