MAL-2026-5640 Malicious code in ecto-corsair-whisper-6f3b9 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c4a0788a8447c0cc7ef6abd8bc0726849d50c6238ed90b0642e658f8cc20ead8 On npm install, postinstall.js executes a shell-based reconnaissance pass over the installer host: it enumerates process.env, runs find/grep -RaoE...

MAL-2026-5587 Malicious code in 0x2ai-demo1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fdc7c661d4867578d3dd920010bccc1e79fcae8753b5bf549f44ea8a45cde502 On npm install, scripts/postinstall.cjs runs fs.cpSyncpayload, cwd, recursive: true with cwd=process.env.INITCWD || process.cwd — recursively writing...

MAL-2026-5615 Malicious code in sysau (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b2cf08a271605de33b2c202bb8a5a6689251e9a4711a628a88c57ebf0ec4f07 On install/load, index.js auto-runs a bootstrap that silently installs Python 3.12 via winget, falling back to a /quiet curl of python-3.12.3-amd64.e...

Malicious code in janus-flow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1 On npm install, the package's postinstall hook node postinstall.js 2/dev/null || true silently runs a credential harvester against the installer...

MAL-2026-5481 Malicious code in mcp-server-postgres (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6c4d1fa0d6fdf2966637bf91c161f3c063aa675eeca88bd0f9abf002c51070c6 Unscoped package 'mcp-server-postgres' impersonates the official scoped '@modelcontextprotocol/server-postgres'. package.json declares a postinstall...

MAL-2026-5483 Malicious code in mcp-server-sentry (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf12283b2f16a43388d0cc6c2991fbbdab0da44ab344c1f9c71515dd05024046 On npm install, the package's postinstall hook scripts.postinstall: node index.js collects host identifiers — os.hostname, process.cwd, the npm...

Malicious code in mcp-server-sentry (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf12283b2f16a43388d0cc6c2991fbbdab0da44ab344c1f9c71515dd05024046 On npm install, the package's postinstall hook scripts.postinstall: node index.js collects host identifiers — os.hostname, process.cwd, the npm...

CVE-2026-41310

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spa...

MAL-2026-4980 Malicious code in @cloudplatform-single-spa/svp-draas (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

MAL-2026-5004 Malicious code in @debit-ib/desktop-debit-ib-additional-card-form (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

MAL-2026-4590 Malicious code in json-to-simple-graphql-schema (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9998f4fd6abaaefcf6bd610ce0b558f0e1eb22c9d4dae07a111c27cc7f7322c The package contains a poc.js script that collects host reconnaissance data os.hostname, os.platform, output of whoami via childprocess and POSTs it ...

Malicious code in json-to-simple-graphql-schema (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9998f4fd6abaaefcf6bd610ce0b558f0e1eb22c9d4dae07a111c27cc7f7322c The package contains a poc.js script that collects host reconnaissance data os.hostname, os.platform, output of whoami via childprocess and POSTs it ...

MAL-2026-4744 Malicious code in cch-agent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cfe9b8e5b4fc182dbef3ccc501998bbc412673e03db0c4cca6d251ea3c689af simpleagent/cli.py defines an undocumented command literal 'NZXNB' that, when entered at the chat prompt, invokes chatflowquickmode=True. In quick mo...

CVE-2026-48235 Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker Data

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses InstaMapper and Google Latitude integration are concatenated into...

CVE-2026-48235

Open ISES Tickets prior to 3.44.2 is vulnerable to SQL injection in incs/remotes.inc.php, where GPS-tracker data (latitude, longitude, callsign, mph, altitude, timestamp) parsed from external XML/JSON responses are concatenated into UPDATE/INSERT statements without sanitization. An attacker who c...

MAL-2026-4642 Malicious code in polygon-toolkit-validate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 77c6fa5fc2aa45c8649c09e54e0f5b318b096a78a133380d18d5379621ba819c The package presents a Polygon/Polymarket validation/crypto utility but its exported APIs silently relay caller data to a hardcoded remote endpoint. ...

Malicious code in encrata-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e98813f52fa8e9fc3c04bffd023445dbfed4a9b405d1e3f85511673f5e86dce7 package.json declares "postinstall": "node install.js", which runs at install time. install.js requires both childprocess and https, branches on...

MAL-2026-4456 Malicious code in @thesignup/cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367 The package's scripts/postinstall.cjs runs at install time and performs host reconnaissance hostname collection, ping/network probing and posts the...

Malicious code in @thesignup/cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367 The package's scripts/postinstall.cjs runs at install time and performs host reconnaissance hostname collection, ping/network probing and posts the...

Malicious code in chalk-tempalte (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7 Package name chalk-tempalte is a single-character transposition of the popular chalk-template package a top-tier npm utility, consistent with...