CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 5 days ago•3 views

MAL-2026-5391 Malicious code in @0xlr/vercel-analytics (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fda046018b2c121cb96e157cadce6d8aee695beb7086008140da0a9c6eebc938 On npm install, postinstall.js enumerates every process.env variable including credentials such as AWS, NPMTOKEN, GITHUBTOKEN and other CI tokens and...

5.5AI score

OSSF Malicious Packages•added 5 days ago•5 views

Malicious code in @0xlr/stripe-checkout-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65b2bf8dcdc0fc9b8fdbf14bbf58a011707a4425cf0029867e28067c08ef5566 On npm install, postinstall.js enumerates the full process.env keyspace plus host identifiers os.hostname, username, homedir, cwd, argv, OS details a...

5.6AI score

OSSF Malicious Packages•added 2026/06/06 6:13 a.m.•13 views

Malicious code in spateo-release (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 21400e8510d0663de6c3a4454fe99d9200cb83ae8d1ecdc137c99f3668da4293 Versions 1.1.2 were compromised. Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed using B...

5.5AI score

Exploits0References5

OSSF Malicious Packages•added 2026/06/04 4:47 p.m.•11 views

Malicious code in sf-silly-goose-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d1b2d16ce881d1e9b356ed424f8144ce9324d09010efa8761ad13ac8a46e7b60 Package uses trufflehog to detect secrets and exfiltrates them to a hardcoded location --- Category: MALICIOUS - The campaign has clearly malicious intent, lik...

Snyk•added 2026/05/31 9:0 p.m.•4 views

Malicious Package

Overview @cloudplatform-single-spa/self-service is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...

Snyk•added 2026/05/31 9:0 p.m.•6 views

Malicious Package

Overview @cloudplatform-single-spa/svp-tasks is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...

Snyk•added 2026/05/31 9:0 p.m.•4 views

Malicious Package

Overview @cloudplatform-single-spa/ml-foundation-models is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

Snyk•added 2026/05/31 9:0 p.m.•7 views

Malicious Package

Overview @cloudplatform-single-spa/static-page is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...

Snyk•added 2026/05/31 9:0 p.m.•5 views

Malicious Package

Overview @fb-deposit/form-deposit-auth is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Snyk•added 2026/05/31 9:0 p.m.•4 views

Malicious Package

Overview @car-loans/deal-aff is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Snyk•added 2026/05/31 9:0 p.m.•5 views

Malicious Package

Overview @cloudplatform-single-spa/ml-ai-agents-ide is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

OSSF Malicious Packages•added 2026/05/29 12:0 a.m.•11 views

Malicious code in @t-in-one/send_add_application (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

OSSF Malicious Packages•added 2026/05/29 12:0 a.m.•8 views

Malicious code in @sber-ecom-core/sberpay-widget (npm)

OSSF Malicious Packages•added 2026/05/29 12:0 a.m.•11 views

Malicious code in @capibar.chat/ui-kit (npm)

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•10 views

Malicious code in @cloudplatform-single-spa/dataplatform-metastore (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

OSV•added 2026/05/28 12:0 a.m.•12 views

MAL-2026-4967 Malicious code in @cloudplatform-single-spa/security-groups (npm)

OSV•added 2026/05/28 12:0 a.m.•8 views

MAL-2026-5003 Malicious code in @cloudplatform-single-spa/vpn (npm)