Malicious code in platform-tempo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd [email protected] declares a preinstall hook that runs poc.js on every npm install. The script collects host identity os.hostname, whoami /all /...

Malicious code in muaddib-scanner (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f package.json declares "loadash": "^1.0.0" as a runtime dependency. loadash is a well-known typosquat of lodash and is never required or imported...

MAL-2026-4508 Malicious code in cdk-insights (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa41acb776dbedfe93c37899783a5e54b78017ac31576c798a27eae6b9e9ec89 The package contains code in dist/entry.js and dist/index.js that invokes npm publish programmatically combined with writeFileSync operations — the...

GHSA-RG65-45M7-HQ57 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...

PT-2026-40543

Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier Description A Local File Inclusion LFI issue exists in the esbuild plugin's handling of the browser field within the package.json file. An attacker can publish a malicious npm package that leverages ../ sequence...

GHSA-W3X5-7C4C-66P9 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Summary An unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files e.g., security.json,...

CVE-2025-66398 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restor...

Malicious code in polaris-publish-vortex-jekyll (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebce85812e6fc46ef9fcc86a5c7993e6c77bffb1288c327defb1b194eb04254c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in jovian-postgres-webdriver-mocha-await (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ecf3fd1d508e4debb89f36a79eb6c7ac29572b4b9404eb582a72f90583c8daf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in speleology-pipe-pino-puppeteer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc12667834e75d07b49fcd90c909c4159cb87514b0d23ee6ae4ae93afb1756b7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in orbit-typeorm-nucleosynthesis-tectonic (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6dd0f8906ebfbf9c904bb008379e1ef26813caad53f6b2009b17913f630de464 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cosmiconfig-deimos-kaus-hyperion (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b417397ddce4e37930565b0788e7a53a679b19a15884a94a966067146ae2b85 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in extremophile-ophiuchus-rollup-plugin-subscription (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d5814aeadd2075aafefcfdf7e08fa80138940a6d61e92b031d99103d60885e4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in beta-error-rho-authenticate-tree (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 30cc2769230687e6e7eada5a89a33afaecb48c332be1d59dc5e4f2b0ba46f3f7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in assert-zeta-visualize-data-char (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2bf70c747e8b5236dda3b3cab1f3c6287cc1cca1e6a49f13b239239537aabba5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in wind-char-function-resolve-enum (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f350467942a4a8ea041da2a995b65503e5774b4faf4936634f965be557a5c4d2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in config-cross-env-nova-bunyan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eec2e3c10bc0dfd078bb269217828be6878379754bbd7321847eb20ddb238aa4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in reject-book-catch-module-short (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b8b14b5a95ce44e95fff509182c83b828055877000a05d9e7b4447abe77c430 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in phylogenetics-fork-tectonic-cosmology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 20cd04db7ff79d34415c4910ccf5f498e218ce9c415f6d4a1e893027ad764142 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in spawn-webpack-nightwatch-slides (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 318806806d481ef740dd17c622bc164b94a295e29a9282fc7c00d3951dfeaee0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...