Supply chain · npm · Critical

Critical: Malicious 'velocityfix' npm package compromises systems

Threat Engine Auto-Feed · data current as of 2026-06-29

A malicious npm package, 'velocityfix', has been identified as compromising systems upon installation. Any machine that has installed this package should be considered fully compromised, necessitating immediate secret rotation and thorough remediation.

  • Package: npm / velocityfix
  • Affected versions: >= 0
  • Severity: critical
  • Reach: ~1,118/wk
  • Exposure: 80/100 (Critical)

What happened — Credential / secret theft

The npm package 'velocityfix' contains malware that, upon installation, leads to the full compromise of the host computer. The advisory indicates that an outside entity may gain full control over the compromised system.

How the attack works

This is a malicious package attack where a seemingly legitimate or benign software component introduces harmful code into a development or production environment. When the package is installed, its malicious payload executes, establishing unauthorized access or control over the system.

Who's exposed

Profiles most at risk

  • Development teams using npm
  • Organizations with CI/CD pipelines that pull npm packages
  • Any user or system that has directly or indirectly installed 'velocityfix'

Conditions that increase exposure

  • Unpinned dependencies that allow fetching the latest malicious version
  • Lack of package lockfiles (e.g., package-lock.json) to ensure consistent dependency versions
  • Use of internal package mirrors that may not filter malicious packages
  • Automated build processes that install dependencies without prior vetting

Blast-radius scenarios

  • An attacker gains full control over the compromised system, potentially leading to data exfiltration, further network penetration, or resource abuse.
  • All secrets and keys stored on the compromised computer are exposed and can be stolen, leading to broader security breaches across connected systems or services.

What to do (defensive)

Detect

  • Audit package.json and package-lock.json files for the presence of 'velocityfix'.
  • Scan build logs and dependency trees for 'velocityfix' installations.
  • Monitor network traffic for unusual outbound connections from systems that installed npm packages.

Contain

  • Immediately isolate any system identified with 'velocityfix' installed from the network.
  • Block 'velocityfix' from being downloaded or installed in your environment via package managers or proxies.
  • Review access logs for systems that may have been compromised to identify potential lateral movement.

Remediate

  • Consider any computer that installed 'velocityfix' to be fully compromised and rebuild it from a trusted image.
  • Rotate all secrets, API keys, and credentials stored on or accessible from the compromised computer, using a different, trusted machine.
  • Remove the 'velocityfix' package from all environments, but acknowledge that removal alone may not eliminate all malicious software.

Frontier verdict — Critical

Prioritize immediate investigation and remediation for any system that installed 'velocityfix' due to critical compromise risk and credential theft.

Sources

For detection-engineering and awareness only · point-in-time · not security advice · sourced from the GitHub Advisory Database.