MAL-2026-5455 Malicious code in uipath-sugar-sell (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70cd5d70323e92395a2ea8f61a4089f1cca94e4bb81a7cad1375ae47d3461e6f Package [email protected] exhibits the canonical dependency-confusion shape: an internal-sounding name targeting a UiPath/SugarSell namespace,...

Malicious code in uipath-sugar-sell (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70cd5d70323e92395a2ea8f61a4089f1cca94e4bb81a7cad1375ae47d3461e6f Package [email protected] exhibits the canonical dependency-confusion shape: an internal-sounding name targeting a UiPath/SugarSell namespace,...

MAL-2026-5453 Malicious code in tivo-codelib-a (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c187e845e4c0d637709021a287c758e0206cb7adc46517391df4724d8af8cb7 [email protected] is an empty-stub npm package whose index.js exports module.exports = and whose package metadata description, author is blank. I...

MAL-2026-5432 Malicious code in @webda-features/dashboard (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3698e6d2d9b93092104883c8f7e4ffcd602d31d3fd3ae2574850ea6ad15e8437 The package is an empty wrapper index.js contains only module.exports = ; whose sole effect on install is to resolve a single dependency declared as ...

Malicious code in @webda-features/dashboard (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3698e6d2d9b93092104883c8f7e4ffcd602d31d3fd3ae2574850ea6ad15e8437 The package is an empty wrapper index.js contains only module.exports = ; whose sole effect on install is to resolve a single dependency declared as ...

Malicious code in @webd-infra/query-designer-domain (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c7713f23c6a0044172532693bc43aee0d785a980fc5c83ba1f773af9082e3b3 The package's package.json declares its only dependency ltidisafe as a direct tarball URL:...

Malicious code in @webda-infra/search (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d3966598d25bae6a0824df09461ccbea8ad8ff22be2b3b93eab681cc733ff73 @webda-infra/[email protected] is a near-empty placeholder index.js is empty, module.exports = whose package.json declares a single dependency, ltidisafe...

MAL-2026-5433 Malicious code in @webda-infra/search (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d3966598d25bae6a0824df09461ccbea8ad8ff22be2b3b93eab681cc733ff73 @webda-infra/[email protected] is a near-empty placeholder index.js is empty, module.exports = whose package.json declares a single dependency, ltidisafe...

MAL-2026-5451 Malicious code in privacy-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c92b5d6dae289f8667ca24f2a941473b65e560f6937874f68ff26ed24d58969 [email protected] is a hollow wrapper index.js is module.exports = , blank description, blank author whose sole runtime dependency is declared as a...

Malicious code in corporate-front-vue (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d26a235f294aacb3800465f89db0f33ecb54f09da450ee98543f8b039249fc12 [email protected] is a near-empty shim index.js exports an empty object whose only meaningful content is a tarball-URL dependency declared i...

MAL-2026-5438 Malicious code in corporate-front-vue (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d26a235f294aacb3800465f89db0f33ecb54f09da450ee98543f8b039249fc12 [email protected] is a near-empty shim index.js exports an empty object whose only meaningful content is a tarball-URL dependency declared i...

MAL-2026-5448 Malicious code in mazemap (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0 package.json declares its only dependency ltidisafe as a direct HTTPS tarball URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.2.tgz...

Malicious code in mazemap (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0 package.json declares its only dependency ltidisafe as a direct HTTPS tarball URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.2.tgz...

MAL-2026-5447 Malicious code in localization-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94 [email protected] is an empty shell package: index.js is module.exports = and package.json has no description or author. Its dependencies...

Malicious code in localization-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94 [email protected] is an empty shell package: index.js is module.exports = and package.json has no description or author. Its dependencies...

Malicious code in housecall-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe [email protected] is a hollow npm package empty description, empty author, index.js exports an empty object whose sole runtime dependency is declar...

MAL-2026-5446 Malicious code in housecall-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe [email protected] is a hollow npm package empty description, empty author, index.js exports an empty object whose sole runtime dependency is declar...

Malicious code in @sourceflow-uk/sourceflow-tracker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...

MAL-2026-5430 Malicious code in @sourceflow-uk/sourceflow-tracker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...

EUVD-2026-35374

The Apache Airflow Samba provider's GCSToSambaOperator joined GCS object names to the SMB destination path without a containment check, so an object named with ../ segments resolved a write path outside the configured destinationpath. An attacker able to write objects into the source GCS bucket —...