2026-02-05 — Malware in blockchain-helper-lib (GHSA-3rcr-854m-q7w4)¶

GitHub published an advisory for a malicious package: blockchain-helper-lib.

• Advisory: https://github.com/advisories/GHSA-3rcr-854m-q7w4

Summary¶

This is malware in a software package. Treat it as a host compromise event until proven otherwise.

The key durable guidance:

• Assume secrets are burned (cloud keys, CI tokens, SSH keys, registry tokens).
• Rotate from a known-clean system.
• Preserve evidence (lockfiles, install logs, package artifacts) before wiping.

Immediate actions¶

• Identify impacted machines (dev/CI/build). If feasible, isolate them.
• Remove the package and revert dependency graph (lockfile rollback).
• Rotate credentials and invalidate CI caches/artifacts that may contain the malware.

Detection / hunt ideas¶

• Check for persistence (cron/systemd/launch agents) and suspicious new binaries.
• Review network telemetry for unexpected outbound traffic during dependency installation.

Related durable guidance¶

• See: /checklists/malicious-package-response