New report coming soon: Marketplace Trends 2026. Join the early access list!
Home
Updates
Mercur Security Update: February 2026
Back to Blog

Mercur Security Update: February 2026

February 17, 2026
Build marketplace with Mercur

Let’s talk about how we can build your commerce project — tailored to your business, powered by Mercur

Schedule demo
Table of contents
Heading 2

Unauthorized malicious code was present in the admin-panel repository between January 28 and February 4, 2026. The code was discovered and removed on February 4, 2026.

If you cloned or pulled this repository during this period, you must take immediate action.

What Happened

On February 4, 2025, we discovered and removed unauthorized code from the admin-panel repository. The malicious code has been present since January 28, 2025. After removal, we focused on identifying the impact and providing steps for affected users to investigate, recover, and verify that their systems are secure.

After conducting an internal review of our environments, we did not find evidence of active credential exfiltration or malicious processes executed within our infrastructure.

At this stage, we are not able to conclusively determine the original injection vector. One possible hypothesis discussed involves a dependency-level compromise (https://github.com/unrs/unrs-resolver/issues/196), however this cannot be confirmed with certainty at this moment.

Impact

At this time, we have received limited reports and are not able to conclusively determine the full scope of impact. We are focused on providing solutions and fixes as quickly as possible.

If you used code from this repository between January 28, 2026 - February 4, 2026 please check your systems without hesitation to make sure you are free of malware.

Affected and Fixed Mercur Versions

V1.5.2 - Fixed

V1.5.1 - Only https://github.com/mercurjs/admin-panel repository is impacted (v1.5.2 is fixed)

V1.5.0 and previous versions were never impacted

Required Actions*

*If you cloned or pulled this repository between January 28 and February 4, 2026

Verify Your Systems

Check affected machines for unexpected processes and modified files.

Unexpected processes

ps aux | grep -E "(node|python|bash)" | grep -v grep
netstat -tuln | grep ESTABLISHED

Modified files to check

  • ~/.bashrc, ~/.zshrc, ~/.bash_profile
  • ~/.ssh/ directory
  • Browser extensions
  • Cron jobs — run crontab -l

macOS

ProcessesVerify any background node/npm/yarn/pnpm processes — check the path and parent process.

launchctl list | grep -v apple
npm list -g --depth=0

PersistenceCheck Login Items and LaunchAgents for unknown .plist files or Node scripts.

ls ~/Library/LaunchAgents/
ls /Library/LaunchDaemons/

SchedulesCheck for periodic or run-at-login triggers.

crontab -l

Windows

Processes - Verify any background node processes — check path and parent.

Persistence - Check Startup Apps and shell:startup for unexpected entries.

Schedules - Open Task Scheduler and review periodic and logon tasks.

Global tooling

npm list -g --depth=0

Projects and Editor

  • Remove node_modules from affected repos and reinstall clean
  • Scan repos manually for injected code or unexpected files
  • Remove unused or suspicious VS Code / Cursor extensions

Resources

  • Repository: [YOUR-ORG]/admin-panel
  • Clean version: V1.5.2
  • Report incidents through Github Issues or Discord

We will update this advisory if additional information becomes available.

In hindsight, a public advisory could have been issued immediately after the suspicious code was removed. We acknowledge that our communication process should have been faster, and we are improving our security disclosure procedures going forward.

More about

View all articles
No items found.
View all articles

Build custom marketplace with Mercur

Schedule a guided tour of Mercur Marketplace tailored to your specific marketplace requirements. Connect with our team to discuss how we can help bring your marketplace vision to life.

Schedule demo
GitHub