2026-02-05 — Malware in cdnjs-libs (GHSA-p6pv-q7rc-g4h9)¶
GitHub published an advisory for a malicious package: cdnjs-libs.
Summary¶
This is malware in a software package. The most durable guidance is operational:
- Treat any host that installed/ran it as potentially fully compromised.
- Rotate exposed secrets/keys from a different, known-clean machine.
- Prefer reimage over “cleanup” if the package executed with meaningful privileges.
Immediate actions¶
- Find installs in:
- developer workstations
- CI runners / build hosts
- container images
- Remove the dependency and revert lockfiles to known-good versions.
- Rotate:
- CI tokens and deploy keys
- registry tokens (
.npmrc) - cloud credentials present on the host
Detection / hunt ideas¶
- Look for install-time execution (e.g., npm
postinstall) plus unexpected outbound network activity. - Review CI logs around install steps; search for unusual domains/IPs contacted during dependency install.