316 matches found
Malicious code in janus-ft (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f On npm install, the package's postinstall.js script harvests installer-side secrets and ships them to a hardcoded bare-IP C2 endpoint. Specifically, ...
Malicious code in @my_name_is_khn/express-security-tool-v1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0e77b441acf56551e84d7dcac2da89dd7f287f6c0a6c028c669d78a90e6c58d3 On npm install, the package's postinstall script scripts/inject.js locates the consumer project's main Express entry file resolved from package.json...
Malicious code in @my_name_is_khn/express-security-tool-v3 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42987119346b57a7014465a5a7bec3c00d1928e7e41d999152aa4e2f814c298e On npm install, the package's postinstall runs scripts/inject.js, which walks up from the current working directory to locate the consumer project's...
MAL-2026-5553 Malicious code in express-self-destruct (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817 On npm install, the package's postinstall hook node scripts/inject.js walks up from the install directory to locate the consumer's project root and...
Malicious code in express-self-destruct (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817 On npm install, the package's postinstall hook node scripts/inject.js walks up from the install directory to locate the consumer's project root and...
MAL-2026-5532 Malicious code in icinga (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d PyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real...
Malicious code in chai-check-error (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8 [email protected] impersonates the legitimate chaijs/check-error utility copied README, author metadata, repository URL, and exported API surfac...
MAL-2026-5526 Malicious code in chai-check-error (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8 [email protected] impersonates the legitimate chaijs/check-error utility copied README, author metadata, repository URL, and exported API surfac...
Malicious code in @access-risk/browser-remedy-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0de4bc9f19feea718e091e9b0a480e9b939cdffa88109375020895c99efa489c On npm install, postinstall.js executes automatically and collects host identity and environment details using os.hostname, process.cwd, and filesyst...
MAL-2026-5515 Malicious code in yelp-react-component-chaos (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 711cd262cc670c0e66cf2878b6fa22db21a2e420313a58aa029cbc619f2b27cc On npm install, preinstall.js collects hostname, username, cwd, network interfaces, and the names of environment variables matching...
MAL-2026-5478 Malicious code in mcp-server-git (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed package.json declares postinstall: node index.js. On every npm install, index.js lines 14-29 reads os.hostname, process.cwd, os.platform, the npm...
Malicious code in mcp-server-notion (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0423928197ec83ac273fa4a1b66d9e75398b956e7d5027014ff6326c552a46c2 Package occupies the unscoped name mcp-server-notion to catch misrouted installs of the scoped MCP Notion server. package.json declares "postinstall"...
Malicious code in getd-handler-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83398d27bb84d47296f796b4b2e6e9b5a0efc474add2e57592455e7d5d54eab5 On npm install, postinstall.js collects the installer's hostname, username, platform, current working directory, and CI-related environment variables...
Malicious code in @rockawayx/utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab @rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node...
MAL-2026-5487 Malicious code in tailwind-form (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37a2959fd43465328b090afd0464e0e3de0e1677ecd2068d4ef05bdfe5867b79 tailwind-form is a typosquat of the legitimate @tailwindcss/forms plugin README and repository field are copied from tailwindlabs/tailwindcss-forms,...
Malicious code in fhirproxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 96e092973bad8e995bdec34000e45943e0be59996e84f181ee4bee9cd423f8eb [email protected] is a thin loader package whose only behavior is to pull and execute the dependency fhirproxy-utils. package.json declares both...
MAL-2026-5436 Malicious code in checkout-signer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f6add4dfcaaf79ce107ac8026032b47540def183a121be2266891644c90f10c8 Package replicates the API surface of an internal Exodus package generateMnemonicSigningKeys, signDirectPaymentMultiChain, signCapture, signRefund,...
MAL-2026-5443 Malicious code in exodus-wallet-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14 Package name impersonates the Exodus cryptocurrency wallet brand. package.json declares "postinstall": "node src/canary.js", and src/canary.js perfor...
Malicious code in exodus-wallet-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14 Package name impersonates the Exodus cryptocurrency wallet brand. package.json declares "postinstall": "node src/canary.js", and src/canary.js perfor...
MAL-2026-5445 Malicious code in grateful-payments (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471 On npm install, the package's postinstall script src/canary.js performs a DNS lookup and HTTPS GET to the hardcoded host...