npm
Malicious @mesadev/saguaro @0.4.22
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-3599
Ecosystem
npm
Summary
This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.
Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.