MAL-2026-5596 Malicious code in 0x2ai-demo8x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6 On npm install, scripts/postinstall.cjs copies the package's payload/ tree into INITCWD the consumer's project root using fs.cpSync,...

MAL-2026-5602 Malicious code in 0x2ai-zoe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b On npm install, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INITCWD the directory the developer ran npm from, depositing...

Malicious code in clean-my-pc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6 The package's collect.js imports childprocess, fs, http, https, and os, gathers host identifiers via os.hostname and os.homedir, reads files from the...

MAL-2026-5615 Malicious code in sysau (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b2cf08a271605de33b2c202bb8a5a6689251e9a4711a628a88c57ebf0ec4f07 On install/load, index.js auto-runs a bootstrap that silently installs Python 3.12 via winget, falling back to a /quiet curl of python-3.12.3-amd64.e...

Malicious code in twilio-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...

MAL-2026-5577 Malicious code in web-pool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2b1d78cd3ff0c5eeead299eb670d299590b48a453c9416ae2a692bc4173737c Requiring web-pool triggers middleware to spawn a detached node lib/initializeCaller.js. That script base64-decodes a hardcoded endpoint...

MAL-2026-5579 Malicious code in webpack-cache-cycle (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81 On npm install, package.json's postinstall hook runs node -e "require'./loader.js'". loader.js spawns a detached node process that decodes a...

Malicious code in webpack-patch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0f5ce3525e99528190ba5217a777184e302d46050fc23bef173de6fda240eba Package impersonates the webpack ecosystem but is unrelated to webpack. When the exported middleware is invoked, index.js spawns a detached node...

MAL-2026-5581 Malicious code in webpack-patch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0f5ce3525e99528190ba5217a777184e302d46050fc23bef173de6fda240eba Package impersonates the webpack ecosystem but is unrelated to webpack. When the exported middleware is invoked, index.js spawns a detached node...

MAL-2026-5580 Malicious code in webpack-cache-reset (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fee0027f45dd4846b52b99120af39a0bca88f8693047612e946cd8d816f36e6c On npm install, the package's postinstall hook runs loader.js, which hex-decodes the URL https://jsonkeeper.com/b/INN1F an anonymous JSON paste host,...

MAL-2026-5569 Malicious code in js-crypto-promise (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f The package's prepinstall.js script base64-decodes a hidden URL stored in a constant misleadingly named HASHKEY decoding to...

MAL-2026-5562 Malicious code in @koadz/sso (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d284d5d0421ad906d63959ed4e0f3354106166311f4066ff794669f52d1eacfb package.json declares a postinstall hook that runs dist/index.js. The compiled bundle contains an appended payload absent from the index.ts source...

Malicious code in field-upload-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17402ad5019d1d433139ce2652d18d2493d87acfd1ede435a94c87eb421f25b1 On every npm install, the package's postinstall lifecycle script in package.json spawns a detached, unref'd Node process that decodes a base64-encode...

MAL-2026-5575 Malicious code in testzapier (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f package.json declares a preinstall hook node index.js that fires automatically on npm install. index.js spawns a shell that runs curl -X POST against...

Malicious code in emittery_styled (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1f21dd8eb533d5ecf0c5123429a9cc453f24eb9426a6cfadcac5c2d299fa5a23 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Omnia MPX 1.5.0+r1 - Local File Inclusion

Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel. id: CVE-2022-36642 info: name: Omnia MPX 1.5.0+r1 - Local Fi...

n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution

n8n versions = 0.123.0 and = 0.123.0 and = 0.123.0 and 1.121.3 contain a critical authenticated remote code execution vulnerability via arbitrary file write. An authenticated user can exploit the Git node to overwrite critical files and execute untrusted code on the n8n server, potentially leadin...

node-srv - Local File Inclusion

node-srv is vulnerable to local file inclusion due to lack of url validation, which allows a malicious user to read content of any file with known path. id: CVE-2018-3714 info: name: node-srv - Local File Inclusion author: madrobot severity: medium description: node-srv is vulnerable to local fil...

Malicious code in @403name/electron-buidler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4 On require, index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in...

MAL-2026-5549 Malicious code in @403name/fsevent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb On require, index.js runs an IIFE that gates to macOS, skips when CI or GITHUBACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at...