MAL-2026-5728 Malicious code in vite-config-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552 On require/import of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports...

Malicious code in chalk-plus-ts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That...

MAL-2026-5708 Malicious code in vite-svgr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5 Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths package.json description: 'Load no...

MAL-2026-5547 Malicious code in @403name/electron-buidler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4 On require, index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in...

MAL-2026-4995 Malicious code in @cloudplatform-single-spa/vcenter-virtual-machines (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in react-cleaner (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11c3d7a072dc204b4c150fae46302a31dafd46c85518d4ba7128fc7d36bf6a53 [email protected] is a pino-logger impersonator package main is pino.js, homepage https://getpino.io, module layout mirrors pino's lib/ tree that, ...

Malicious code in react-tracked-tony (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony, author: Daishi Kato, and homepage:...

Malicious code in @wengine-ai/claude-code-router-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45e362000d036139e02a066a82ec157314a07796e0e855cdce184cc081ca4591 dist/index.js line 14 issues a fetch call to https://pub-0dc3e1677e894f07bbea11b17a29e032.r2.dev, an anonymous Cloudflare R2 bucket, and references...

MAL-2026-4531 Malicious code in clsx-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...

Malicious code in corelia (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2b637971f597ba9572b4cecfab0de4981d19620d585b1958b1bb37b004fae8f The package impersonates the popular pino logger README header 'corelia Pino', homepage https://getpino.io, main file pino.js, npm version badge...

HTTPS Fetch, Bind TCP Stager (Windows x86)

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection Windows x86 Module Options msf use payload/cmd/windows/https/x86/vncinject/bindtcp msf payloadbindtcp show actions ...actions... msf payloadbindtcp set ACTION msf payloadbindtcp show options ...show and set options...

HTTPS Fetch, Windows Command Shell, Find Tag Ordinal Stager

Fetch and execute an x86 payload from an HTTPS server. Spawn a piped command shell staged. Use an established connection Module Options msf use payload/cmd/windows/https/x86/shell/findtag msf payloadfindtag show actions ...actions... msf payloadfindtag set ACTION msf payloadfindtag show options...

HTTPS Fetch, Windows Reverse HTTP Stager (wininet)

Fetch and execute an x86 payload from an HTTPS server. Tunnel communication over HTTP Windows wininet Module Options msf use payload/cmd/windows/https/x86/vncinject/reversehttp msf payloadreversehttp show actions ...actions... msf payloadreversehttp set ACTION msf payloadreversehttp show options...

HTTPS Fetch, Windows Command Shell, Reverse TCP Stager (DNS)

Fetch and execute an x86 payload from an HTTPS server. Spawn a piped command shell staged. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/shell/reversetcpdns msf payloadreversetcpdns show actions ...actions... msf payloadreversetcpdns set ACTION msf...

HTTPS Fetch, Windows Command Shell, Hidden Bind TCP Inline

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the...

HTTPS Fetch, Reverse TCP Stager with UUID Support

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/https/x86/peinject/reversetcpuuid msf payloadreversetcpuuid show actions ...actions... msf payloadreversetcpuuid set ACTION msf payloadreversetcpuuid sh...

HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker Module Options msf use payload/cmd/windows/https/x86/peinject/reversetcprc4 msf payloadreversetcprc4 show actions ...actions... msf payloadreversetcprc4 set ACTION msf payloadreversetcprc4 show options ...show and...

HTTPS Fetch

Fetch and execute an x86 payload from an HTTPS server. Module Options msf use payload/cmd/windows/https/x86/powershellreversetcpssl msf payloadpowershellreversetcpssl show actions ...actions... msf payloadpowershellreversetcpssl set ACTION msf payloadpowershellreversetcpssl show options ...show a...

HTTPS Fetch, Reverse TCP Stager (No NX or Win7)

Fetch and execute an x86 payload from an HTTPS server. Connect back to the attacker No NX Module Options msf use payload/cmd/windows/https/x86/patchupmeterpreter/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp show...

HTTPS Fetch, Hidden Bind Ipknock TCP Stager

Fetch and execute an x86 payload from an HTTPS server. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcode from any IP. The sock...