From Breach to Blocked: How a HeroDevs Engineer Stopped a GitHub Hijack in 6 Hours

Recently, the NPM ecosystem was hit with a wave of malicious packages. Legit-looking version bumps. No CVEs. No GitHub advisories. No warning signs unless you dug into the code.

These packages included a hidden preinstall script designed to exfiltrate GitHub credentials—and a postinstall script aimed at deleting the user’s local filesystem.

And yet, none of the automated tools caught it.

But some in the community spotted the threat, and Jordan Harband moved fast.

This Is What Never-Ending Support Looks Like

Jordan is HeroDevs’ Principal Open Source Architect and one of the most trusted figures in the JavaScript ecosystem. He:

• Authored foundational standards like Object.entries, Object.fromEntries, Error.isError, String.prototype.matchAll, Promise.try, and many more
• Sits on the board of the OpenJS Foundation
• Represents HeroDevs on the TC39 committee that shapes JavaScript itself

So when Jordan noticed a suspicious package version published to npm that wasn’t in the repository, he took action.

It wasn’t flagged by tools — but it didn’t look right.

He removed the hijacked maintainer’s access, deprecated the version, marked the last known good one as “latest,” and contacted npm support to take down the malicious version, including a second one that popped up immediately afterwards. Within hours:

• Verified the malicious payload
  
  
• Coordinated with registry maintainers to deprecate the package
  
  
• Reported the issue to users
  
  
• Notified the open source and security communities

From detection to takedown: under 6 hours.

The Broader Picture

This wasn’t an isolated incident. The malicious package Jordan helped neutralize—is—was part of a broader wave of supply chain attacks targeting npm.

Jordan responded to user concerns, verified, and helped deprecate that package in under six hours.

Even a single malicious upload can compromise credentials, erase critical files, and ripple across production systems. 

Jordan shut one down before it could do more damage.

What Makes HeroDevs Different

Most vendors will sell you a scanner with some AI sprinkled on top and call it “security.”

HeroDevs gives you people. Real humans like Jordan, who live and breathe open source, and actively monitor the packages you depend on.

We don’t just provide “support” for legacy software—we:

• Watch the ecosystem in real time
  
  
• Spot the red flags that machines miss
  
  
• Backport patches and harden the code you still run in production
  
  

When we say Never-Ending Support, this is what we mean.

What This Means for Your Stack

Still running Node 16? Lodash 4? AngularJS? You’re not alone—and you’re not wrong.

Rewriting takes time. Replatforming takes money. But letting your stack drift unsupported? That opens doors to exactly this kind of attack.

With HeroDevs:

• We keep your EOL frameworks secure.
  
  
• We monitor for threats—so you don’t have to.
  
  
• And when something suspicious hits npm, you’ve got someone like Jordan watching.
  
  

TL;DR

• A wave of malicious npm packages hit the ecosystem in July 2025.
  
  
• HeroDevs’ Jordan Harband identified and helped deprecate one of them in under 6 hours.
  
  
• This isn’t a fluke. It’s what HeroDevs support looks like.
  
  

Want people like Jordan watching your software?

Explore pricing→

‍