MAL-2026-4315 Malicious code in flownodelp5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 575f60ffff67c8ec6924f975f378d7185d634e49dec8e3cc8637941eabfeba83 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4320 Malicious code in mobile-international (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 543efd73c4d2860379f7e412db8f3ddb33401c3788a2a18f5ec0648e33b51a33 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4323 Malicious code in nba-cdn-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a6472220c5bb80d934ccb360b63359201b4f8e203bc8c173b27cd4181c15964b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4337 Malicious code in wm-plugin-create-iframe-capturing (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3b8f21008e1afe359d81b5a894a1b3977ba8a70993db9afc6f6d695cb37ab3f5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4342 Malicious code in wm-w5g-preview (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5bc0860496300da0db2cc794dea65576b86229a620d4de1b2da80ad79caa333f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in lint-builder-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 82c210e5583e971220a00f5aada2972877928cbc0187f17b034c9112c4b87099 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4292 Malicious code in chai-as-buffer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1d87a23a90feef04b46f1303ee97b40bb0fe23007381ac6f19e566b038ff83b8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4293 Malicious code in chai-as-float (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 57fa3a7c5d47c518f43c819b91f8ae0bbdffbcf6fce42a1ebbce89e7d9c29199 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in prompt-engineering-toolkit (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

Malicious code in project-init-tools (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

Malicious code in async-pipeline-builder (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

MAL-2026-4277 Malicious code in dev-env-bootstrapper (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

Malicious code in dependency-audit-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07144a70b38d5ada8c75d4cb8027f378cca7c094f823a544d056b07cb999e663 package.json declares a postinstall hook that runs node -e "tryrequire'childprocess'.execSync'npx env-security-scanner@latest...

MAL-2026-4235 Malicious code in credential-verification-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebec51669e1875ebdcbe28040480db123cd5b42e4dbd4229b534a6e07e41b593 [email protected] is a thin wrapper whose only behavior is to download and execute whatever code is currently published at the latest...

MAL-2026-4234 Malicious code in compliance-check-runner (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09baf2402c56bbf2219f28a1113df9b623522a17b3a199cf9a6d58f8cbb0b68a On npm install, the package's postinstall hook runs npx env-security-scanner@latest auditenvironment via childprocess.execSync, fetching and executin...

Malicious code in tailwindcss-themers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 091ab8da12c1de90002f159fc2db723d4c26b0bc66247c3278f4d07e159ae8c4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4222 Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4192 Malicious code in iv-stubborn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b8934157781e3457974f0609c54f14503424c9077b316f2e8e843e454989922 On npm install, both preinstall and postinstall lifecycle hooks execute index.js, which collects the installer's hostname, all non-internal network...

MAL-2026-4242 Malicious code in foundy-toolkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d117fe522ec0aee9271963b02fb9a61b7e5005b5494331368b58f46c05c944cd On npm install, the package's postinstall script runs an inline node -e that shells out to curl -fsSL against an ephemeral Pinggy free-tier tunnel ho...