9492 matches found
MAL-2026-5430 Malicious code in @sourceflow-uk/sourceflow-tracker (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...
MAL-2026-5434 Malicious code in ac_calendar_ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63 On npm install, the package's canary.js postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's os.hostname, packa...
MAL-2026-5435 Malicious code in ac_semantic-ui_ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d package.json declares a postinstall hook that runs canary.js, which issues an HTTP GET to bare IP 157.230.17.236 on port 80 with query parameters...
Malicious code in @oplus/obus-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ed41b3738a8034ebb2e92744dd0891812f6c6fdb278e78c377045a86f2b5a34d On npm install, scripts/postinstall.js collects the installer's username os.userInfo, hostname os.hostname, current working directory process.cwd, an...
MAL-2026-5424 Malicious code in @oplus/obus-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ed41b3738a8034ebb2e92744dd0891812f6c6fdb278e78c377045a86f2b5a34d On npm install, scripts/postinstall.js collects the installer's username os.userInfo, hostname os.hostname, current working directory process.cwd, an...
MAL-2026-5458 Malicious code in ultimate-ai-power (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90499eb8f54fcc67c067ef7d5397153b4abfc5bbca9d96e7deb291152f49ed3f On import ultimateaipower, the package's top-level init.py collects the local username getpass.getuser and resolved host IP socket.gethostbyname and...
MAL-2026-5404 Malicious code in cubifyanything (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cab88d6047b15dbb32ca245f083a7eecd1df75ce183d47637c6c9edf5cfd0b4 cubifyanything 1.0.1 is a dependency-confusion squat shipping no real functionality top-level cubifyanything/init.py is 0 bytes and a setup.py that...
Malicious code in @open-banking/cabinet-providers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280 @open-banking/[email protected] is a dependency-confusion bait package anomalously high version under a generic scope that exfiltrates...
Malicious code in savant-listing (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7360e78a5c5d56ea9323cde1f41e33ce8cc6b625034ef82d067bbfeafee60461 [email protected] is a dependency-confusion squat. package.json declares both install and postinstall lifecycle scripts that run curl...
Malicious code in multica (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2 Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively require...
MAL-2026-5400 Malicious code in multica (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2 Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively require...
Malicious code in create-docs-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...
MAL-2026-5397 Malicious code in create-docs-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...
Malicious code in t-invest-mcp-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419 Package is a dependency-confusion squat: package.json sets version 9999.99.99 the canonical max-version trick used to win resolution against any...
MAL-2026-5342 Malicious code in kecak256 (npm)
kecak256 is a typosquat of the popular keccak256 package one c dropped that ships a credential-stealing payload executed automatically on install. The package spoofs the legitimate keccak256 project — author "Miguel Mota", matching description, README, and keywords — and includes a benign decoy...
Malicious code in swap-sdk-87 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Inflated version...
Malicious code in blockchain-helper-0 (npm)
Note: This report is updated by a verification record Crypto/SSH/wallet stealer self-labeled "CRYPTO STEALER". postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot...
Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...