@ctrl/plex @6.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4377
Ecosystem
npm
Summary
The @ctrl/* npm scope was compromised in the Shai-Hulud supply-chain incident (September 2025). Versions of @ctrl/plex published during and after the compromise window have been observed shipping credential-harvesting payloads that exfiltrate developer secrets (npm tokens, GitHub tokens, cloud credentials, SSH keys) and self-propagate by republishing other packages owned by the same maintainer. @ctrl/plex@6.0.0 falls within the affected version range for this scope. Installing this version is expected to execute attacker-controlled code that harvests installer credentials and attempts further package compromise.
Source: amazon-inspector (20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.