MAL-2026-5109 Malicious code in shopifyto-cms (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5f0fb4ee5fa3c58016b3fa60c91ff3a9b5f30d82cbf65b239a096ef850ccb475 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5157 Malicious code in @tse-digital/core (npm)

Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...

MAL-2026-5130 Malicious code in @redhat-cloud-services/integrations-client (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

Malicious code in @redhat-cloud-services/topological-inventory-client (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

Malicious code in @redhat-cloud-services/chrome (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

MAL-2026-4917 Malicious code in @cloudplatform-single-spa/employees (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @car-loans/close-flow-module (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

MAL-2026-4321 Malicious code in motion-ui-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 21ddce58f1bde22bf0563aee5f71aefe48c82ad61076557935bf8fff16eb9df3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in eo-terminal (npm)

Part of a multi-package malicious campaign by npm author toskypi, eo-terminal is a fully-featured infostealer and remote access trojan RAT disguised as "terminal changelog logger utilities." The package README describes a completely different package terminal-logger-utils, indicating a...

Malicious code in @flipbit2-bb/test-auth-state (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63 On npm install, a postinstall script phone-home.js collects os.hostname, os.userInfo.username, process.platform + os.release, a timestamp, and a...

MAL-2026-3847 Malicious code in openclaw-cn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98bf501cd2484b70d4811afe69007c54a9a94bcd9c137c0782a0c610a475b434 The package openclaw-cn was found to contain malicious code. Source: ghsa-malware 8f29660ec3d5b6462ff4857bf0696a14fbcf401d5f3a074376b0c9840b380612 An...

MAL-2026-3890 Malicious code in @antv/f2-algorithm (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Malicious code in @tanstack/start-server-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7db0631bb410a51551790c0b55b574d53aea5d7a677439e6f3cf877503317658 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in okx-nav (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6ab3eb270d52d290185b24d8da75ec720b1c6d2403eb5bfeee0127d98edff14f The package okx-nav was found to contain malicious code. Source: ghsa-malware 3961b5dc52e388cd7ea999f85a4541bfc0e083e63afad50184fea746d70d275d Any...

MAL-2026-2602 Malicious code in etsy-advocacy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 954b1d4bfe5cfc54379a9fc61d30f5941755592aea62781a2a17e175d6eb38f3 The package etsy-advocacy was found to contain malicious code. Source: ghsa-malware ecd69e1f886e5959e3de00ca5b1235a1c05bef9098aab53be35030cb7b8e007b...

Malicious code in babel-plugin-fbtee (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82da31ad0bc5f3d25505f208dd3be88eaff3e4054e429cbdc7601dc5e3a3d42d The package babel-plugin-fbtee was found to contain malicious code. Source: ghsa-malware...

Malicious code in yelp-biz-action-constants-js-generated (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 063bb3466bef20db9d0f0c8436b384fe8b498ccceef3993ab43e0482b43efc40 The package yelp-biz-action-constants-js-generated was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2090 Malicious code in netflixid (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 959c71962643ba913ba0ec6bc9e5eb59a0b0546194ef23c12bbd7ba4996c60f5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-1972 Malicious code in wildhunter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd5020979c3e9df261b6bb1525d91874b0c3dd993d6007d1f5f3fe40293a9a6c The package wildhunter was found to contain malicious code. Source: ghsa-malware ef86dd0267c3525fb9b185c8193ead59125fee1e3e962e357ac027f43dfc74cf Any...