GitHub flags ambar-src on npm as malware with no patched versions

What happened

GitHub's Advisory Database published GHSA-qjgj-mrv7-24f7, classifying the npm package ambar-src as malware and noting there are no patched versions available.

Who is impacted

Anyone who installed or executed ambar-src from the npm ecosystem is potentially impacted. The advisory states systems with the package installed/running should be considered fully compromised.

Key details

• Ecosystem: npm
• Package: ambar-src
• Advisory: GHSA-qjgj-mrv7-24f7
• Affected versions: >= 0 (effectively all versions)
• Patched versions: None
• CWE: CWE-506 (Embedded Malicious Code)

What to do now

• Remove the package from builds, lockfiles, and internal mirrors.
• Treat affected machines as compromised: rotate credentials/secrets from a different (clean) machine.
• Invalidate and re-issue any CI/CD, registry, cloud, or signing credentials that could have been accessed.
• Hunt for downstream exposure: identify projects, containers, and build jobs that pulled the dependency and re-build from known-good sources.