Advisories for Npm/@Opensearch-Project/Opensearch package

Overview The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch. Users are instructed to immediately take actions recommended in the Remediation section of this advisory. Affected Versions Package: @opensearch-project/opensearch | Version | Published (UTC) | Published (America/New_York) | |———|—————-|——————————| | 3.5.3 | 2026-05-12T00:47:39Z | May 11, 2026, 8:47:39 PM …

On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back …