Tenable Research investigated a malicious package in the npm public registry named “amber-src” that underscores the rapid nature of modern supply chain attacks. The package, which was downloaded approximately 50,000 times before its removal, was designed to mimic a popular package “ember-source”, to infect developers’ systems across Windows, macOS, and Linux.

The threat is unique because it does not require a developer to actually run any code to become a victim. The moment a user types the command to install the package, a hidden “preinstall script” executes automatically in the background. While the user sees a standard installation progress bar, the malware is already active, identifying the victim’s operating system and delivering the malware.

The attackers utilised a technique called “typosquatting,” naming the package “ambar-src” suspected to mimic a widely trusted package with over 11 million downloads. Unlike legitimate software that has been compromised, “ambar-src” was built from the ground up as a weapon, serving no functional purpose other than to deliver malware.

“The true danger of this package lies in how it weaponizes a simple human mistake,” said Ari Eitan, Director for Research at Tenable. “Developers often assume that if a package is available on a public registry, it is safe to download. By hiding the attack inside the installation process, hackers ensure they are inside your system before you’ve even had a chance to verify the code.”

The package was removed from the npm registry within five hours of the malicious version being published on February 16, 2026. However, any system where “ambar-src” is currently found should be considered fully compromised.

Tenable Research urges all organizations to audit their development environments and CI/CD pipelines for any presence of this package and follow standard incident response protocols if it is detected.

For more information about “amber-src”, please read this blog.