MAL-2026-5540 Malicious code in @monitoring-lib/error-tracking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d On npm install, the preinstall lifecycle hook in package.json runs a Node one-liner that reads the installer's hostname os.hostname and username...

MAL-2026-5523 Malicious code in @orion-design-system/foundation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375 The package's npm preinstall lifecycle script runs an inline node -e payload that collects the installer's hostname os.hostname and OS username...

Malicious code in @orion-design-system/foundation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375 The package's npm preinstall lifecycle script runs an inline node -e payload that collects the installer's hostname os.hostname and OS username...

MAL-2026-5490 Malicious code in sb-original (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83 [email protected] is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same...

MAL-2026-5439 Malicious code in exodus-checkout-signer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 921c5ef246587db452bdb65aae12321f4de868e7882f9550f9b9e32300ae792c exodus-checkout-signer is the unscoped name of the scoped package @exodus/checkout-signer and self-describes in README and package.json as a...

MAL-2026-5424 Malicious code in @oplus/obus-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ed41b3738a8034ebb2e92744dd0891812f6c6fdb278e78c377045a86f2b5a34d On npm install, scripts/postinstall.js collects the installer's username os.userInfo, hostname os.hostname, current working directory process.cwd, an...

Malicious code in @0xlr/clerk-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74 On npm install, postinstall.js enumerates the entire process environment Object.keysprocess.env.sort.forEach along with hostname, username, home...

Malicious code in @0xlr/prisma-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4 On npm install, postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU...

MAL-2026-5386 Malicious code in @0xlr/prisma-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4 On npm install, postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU...

Malicious code in @0xlr/stripe-checkout-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566 On npm install, postinstall.js enumerates the full process.env keyspace plus host identifiers os.hostname, username, homedir, cwd, argv, OS details a...

Malicious code in @0xlr/supabase-db (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0feb7f8ea3069b0e830043fea195c088ea28709cc18a32676f389c61a15fc84c On npm install, the package's postinstall.js script enumerates all of process.env and collects host identifiers os.hostname, username, homedir, cwd,...

Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...

Malicious code in screenpipe-mcp-http (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790 [email protected] is a dependency-confusion lure that beacons installer-identifying data to an attacker-controlled domain on npm install...

Malicious code in create-docs-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...

MAL-2026-5397 Malicious code in create-docs-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...

NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin

Summary The client-side hashRedirect plugin called window.location.replace on a path extracted from the URL hash fragment after only checking hashPath.startsWith'/'. Protocol-relative URLs //attacker.com/… also satisfy that check, so a crafted link such as...

PT-2026-46995

Summary The client-side hashRedirect plugin called window.location.replace on a path extracted from the URL hash fragment after only checking hashPath.startsWith'/'. Protocol-relative URLs //attacker.com/… also satisfy that check, so a crafted link such as...

CVE-2026-7421 Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting

The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the getshopurl method returning the shopname setting value without sanitization when it begins with "http", combined with insufficient validation in th...

MAL-2026-4807 Malicious code in shop-minis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e On npm install, the package's postinstall script postinstall.js, run via scripts.postinstall = 'node postinstall.js' collects host identity — whoami,...

Malicious code in shop-minis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e On npm install, the package's postinstall script postinstall.js, run via scripts.postinstall = 'node postinstall.js' collects host identity — whoami,...