688 matches found
Malicious code in data-harvester (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21c2e2c21d9afac9277d95589962d33a09651a5b6ef7e0b3c9e07aee56af213f On first import, dataharvester/init.py decodes a base64-embedded 486KB Linux ELF, writes it to /.config/.npm-cache/snapd-network, sets mode 0777, and...
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagg...
Malicious code in bytekit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0bbaea22b635a4a8425964572b733b806f45714a9090492d1c39d545088fe336 The package was found to contain malicious code or consuming dependency that contains malicious code Source: kam193...
MAL-2026-6751 Malicious code in bytekit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0bbaea22b635a4a8425964572b733b806f45714a9090492d1c39d545088fe336 The package was found to contain malicious code or consuming dependency that contains malicious code Source: kam193...
MAL-2026-6753 Malicious code in schemavault (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ae0aa9efa2a8389cfe9d5c41d5ab3689f4965c945a24613493f94f9de033ab1 schemavault 4.1.0 is presented as a schema-validation library but ships capabilities and data that have no relationship to schema validation...
Malicious code in schemavault (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ae0aa9efa2a8389cfe9d5c41d5ab3689f4965c945a24613493f94f9de033ab1 schemavault 4.1.0 is presented as a schema-validation library but ships capabilities and data that have no relationship to schema validation...
Malicious code in procwire (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42f7077b3fb95ad31689f096805811e51afe78e7f21c2123d5dcc25343a11ff2 setup.py auto-executes on pip install only guarded by an internal PWDIST env var check and, on Windows, reconstructs an attacker C2 URL and XOR key a...
MAL-2026-6750 Malicious code in procwire (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42f7077b3fb95ad31689f096805811e51afe78e7f21c2123d5dcc25343a11ff2 setup.py auto-executes on pip install only guarded by an internal PWDIST env var check and, on Windows, reconstructs an attacker C2 URL and XOR key a...
PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords
Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data. The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript .scpt file impersonating Maccy, a...
Malicious code in log-taker1 (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer 2800 lines directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults MetaMask, Phantom, Solflare,...
MAL-2026-6689 Malicious code in decimal-format-core (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. decimal-format-core uses a dropper technique: a postinstall hook executes scripts/install-check.cjs at install time, which fetches a second-stage infostealer payload from the C2 domain logstream-api.online...
Malicious code in ts-bn-proto (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address data-stream.space, executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet...
Malicious code in polymarket-trading-developer-tools (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-trading-developer-tools uses a dropper technique: a postinstall hook downloads configuration from pm-trading-dev-tools-be.vercel.app and exfiltrates data to the...
Malicious code in thirdwb (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's...
Malicious code in thirdwebb (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwebb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's...
Malicious code in console-fmt-cli (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. console-fmt-cli uses a side-loader technique: it declares decimal-format-core =3.0 as a dependency, which contains a dropper that executes at install time via a postinstall hook. The dropper fetches a...
Malicious code in decimal-format-core (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. decimal-format-core uses a dropper technique: a postinstall hook executes scripts/install-check.cjs at install time, which fetches a second-stage infostealer payload from the C2 domain logstream-api.online...
MAL-2026-6695 Malicious code in ts-bn-proto (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address data-stream.space, executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet...
Malicious code in polymarket-clob-maths (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-clob-maths uses a dropper technique: a postinstall hook fetches a remote bundle from trabalhos-flax.vercel.app and executes a syncSession function that runs a...
MAL-2026-6694 Malicious code in thirdwebb (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwebb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's...