MAL-2026-5563 Malicious code in @sentry-internal-sdk/profiling-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47 Package name @sentry-internal-sdk/profiling-node impersonates the legitimate @sentry/profiling-node Sentry publishes under the @sentry org; no...

Malicious code in chai-mocks (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2110c382b534a2754972e66578b044823108410f3a656aad1616834d18bba322 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5059 Malicious code in chai-bundle (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5110f40393583ef41ebcfa3558d782310a40a78227a040480d871c25311b79ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@11ty/eleventy (=3.0.0-alpha.16), @agiflowai/aicode-toolkit (>=0.6.0 <=1.1.0) +99 more potentially affected by CVE-2026-45357 via liquidjs (>=10.10.0 <=10.25.7)

liquidjs NPM version =10.10.0, =0.6.0, =0.1.0, =0.0.0, =0.5.5, =0.8.0, =1.0.1, =1.6.3, =3.11.0, =3.11.0, =3.11.0, =1.0.0, =1.0.0-beta.5 - @clairview/api =23.1.0 and more Source cves: CVE-2026-45357 Source advisory: OSV:GHSA-HH27-HF48-9F5Q...

MAL-2026-4695 Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

Malicious code in @sec-loans-ui/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9 Package is a hollow lure: index.js is a 35-byte stub module.exports = , description and author are empty, and the version is bumped to 99.9.1 — the...

adaseq (=0.4.0), cosmos-predict2 (>=1.0.6 <=1.0.9) +20 more potentially affected by CVE-2025-51427 via modelscope (>=1.10.0 <=1.26.0)

modelscope PYPI version =1.10.0, =1.0.6, =0.5.4, =0.1.1, =0.6.0, =1.0.0, =0.4.0, =2.4.2, =0.1.0, =0.1.2, =0.1.0, =0.5.0, =0.7.0 and more Source cves: CVE-2025-51427 Source advisory: OSV:GHSA-FHHQ-H4HG-549X...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

MAL-2026-3814 Malicious code in @zentrafinance/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95b69f41a2a81d2acb41f5d3282c7db06d5c90f40918246184ddec6e878c5ecb The package @zentrafinance/sdk was found to contain malicious code. Source: ghsa-malware...

CVE-2026-42575

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

CVE-2026-44576 vulnerabilities

Vulnerabilities for packages: keep...

10minions-engine (>=0.0.1 <=0.0.4), @0xr404/lol404 (>=1.1.0 <=1.1.6) +3362 more potentially affected by CVE-2026-44292 via protobufjs (>=7.0.0 <=7.5.5)

protobufjs NPM version =7.0.0, =0.0.1, =1.1.0, =1.0.1-beta.0, =0.0.2-beta.0, =1.0.0, =1.5.10, =0.10.1, =1.1.0, =6.0.0, =2.0.2, =3.3.2 and more Source cves: CVE-2026-44292 Source advisory: SNYK:JS-PROTOBUFJS-16643319...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +19 more potentially affected by CVE-2026-44009 via vm2 (>=1.0.1 <=3.11.1)

vm2 NPM version =1.0.1, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.7.0, =0.0.1, =0.1.64, =0.1.61, =1.0.0, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.3 and more Source cves: CVE-2026-44009 Source advisory: OSV:GHSA-9VG3-4RFJ-WGCM...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-44004 via vm2 (>=3.0.0 <=3.10.5)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-44004 Source advisory: SNYK:JS-VM2-16438976...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-26332 via vm2 (>=3.0.0 <=3.10.5)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-26332 Source advisory: SNYK:JS-VM2-16419533...

Malicious code in bytedaaa (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fedb317c49dbeddcfa00503c821197919801ee034dd6713e6a1c45ea68ebd7dc Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-3086 Malicious code in bytedai (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6453b603ad8bfd1ff4463c1bd86e1930757b08239ec949b01fbc95ca0c5486a6 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13074 more potentially affected by CVE-2026-41674 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41674 Source advisory: OSV:GHSA-F6WW-3GGP-FR8H...

Malicious code in @usealloy/api-contract (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac2459ced40bf7d07428205c0322e09c951fdc50972f337b30508ad2ad867b37 The package @usealloy/api-contract was found to contain malicious code. Source: ghsa-malware...

a-mailx (=0.1.0), almax-common (>=0.9.5 <=1.0.2.dev20240601170722) +69 more potentially affected by CVE-2026-39377 via nbconvert (>=7.0.0 <=7.17.0)

nbconvert PYPI version =7.0.0, =0.9.5, =1.0.1, =1.0.1, =0.1.0, =0.0.1, =0.1.0, =0.1.0, =0.1.10, =0.0.15, =0.1.3, =3.0.0, =0.0.1, =0.0.2 - fashiontrendforecasting =0.1.0 and more Source cves: CVE-2026-39377 Source advisory: SNYK:PYTHON-NBCONVERT-16115368...