StepSecurity's AI Package Analyst detected over 70 ghost releases across Microsoft's @types/ npm packages on February 17, 2026. The anomaly — identical deprecated versions being re-published every 30 minutes with no code changes — was traced to a bug in the DefinitelyTyped-tools GitHub Actions workflow. The root cause was a JavaScript quirk where passing `undefined` instead of 'latest' as a publish label silently bypassed the loop guard meant to prevent re-publishing already-deprecated packages. A one-line fix was identified, reported, and merged the same day. The incident highlights risks in automated publishing pipelines: even benign bugs can create noise that could be exploited as camouflage in supply chain attacks, and continuous monitoring of npm release patterns is essential for ecosystem health.
Table of contents
Background: What Are @types Packages?What We ObservedTracing the Source: An Automated GitHub WorkflowThe Root Cause: A Broken Loop GuardWhy This MattersTimelineConclusionReferencesSort: