78 matches found
EUVD-2026-39498
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run...
CVE-2026-55180 pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...
CVE-2026-55180
CVE-2026-55180 affects pnpm before 10.34.2 and 11.5.3. The issue arises when pnpm and related configuration (repository-controlled .npmrc and pnpm-workspace.yaml) expand ${ENV_VAR} placeholders into registry request destinations and registry credentials. This can cause dependency resolution to se...
CVE-2026-55180
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...
MAL-2026-5803 Malicious code in flow-lending (npm)
Sentinel-high 9.9.9 dependency-confusion squat of an internal Cardano/DeFi lending pkg. preinstall node index.js || true auto-execs a credential exfil: harvests env secrets mnemonic/private key/token/blockfrost API key and POSTs to raw attacker C2 2.25.140.71:8443/surflending/npm-confusion. 2-pkg...
Malicious code in portal-backend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5aca21d0e952f5ba313432cf5d47e41f185d19e65d894a005cce20be90d4985 On npm install, the package's preinstall hook executes postinstall.js, which enumerates process.env and filters keys matching a broad credential-shap...
MAL-2026-5778 Malicious code in hemi-earn-actions (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c On npm install, the package's preinstall script postinstall.js collects host metadata hostname, username, cwd, npm config and iterates process.env,...
MAL-2026-5563 Malicious code in @sentry-internal-sdk/profiling-node (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47 Package name @sentry-internal-sdk/profiling-node impersonates the legitimate @sentry/profiling-node Sentry publishes under the @sentry org; no...
MAL-2026-5557 Malicious code in janus-ft (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f On npm install, the package's postinstall.js script harvests installer-side secrets and ships them to a hardcoded bare-IP C2 endpoint. Specifically, ...
Malicious code in @0xlr/sentry-web (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6cda998358d5cfe20dc0c060f7e212e44ee41e6f369f42c15badbfdd7b796744 On npm install, this package automatically executes postinstall.js, which enumerates the entire process.env every environment variable, including CI...
MAL-2026-5385 Malicious code in @0xlr/clerk-auth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74 On npm install, postinstall.js enumerates the entire process environment Object.keysprocess.env.sort.forEach along with hostname, username, home...
MAL-2026-5382 Malicious code in @doaction/types (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4092c28082abff16427aa0e246a327796294411786dae585fb4ab3114ad6504f @doaction/[email protected] is a dependency-confusion lure targeting an internal @doaction scope. The package.json declares "version": "99.99.99" and pi...
Malicious Package
Overview @fb-deposit/form-savings-account is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
Malicious Package
Overview @cloudplatform-single-spa/advanced is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
Malicious Package
Overview @mlspace/profile is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @cloudplatform-single-spa/ml-inference is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...
Malicious Package
Overview @cloudplatform-single-spa/aifactory-notebooks is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @cloudplatform-single-spa/ml-inference-docker-run is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @cloudplatform-single-spa/notification-gateway is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @cloudplatform-single-spa/edge-manager is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...