MAL-2026-6445 Malicious code in base58-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c10874ae13f1937b6974bcaaec72996e54f85fc3de6bf5e53d732f6e1f37c8a3 The package presents itself as a Base58 encoder/decoder but on require arms a malicious payload that is time-gated to activate 72 hours after first...

MAL-2026-5862 Malicious code in vitest-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39810890a1ffc946b3da439738fb619eab1613a775a308d6f248b80b38ce5603 Package vitest-pro is a namespace-abuse lure: its name suggests a vitest extension, but its source tree, README, and main entry lib/nodemailer.js are...

MAL-2026-5557 Malicious code in janus-ft (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f On npm install, the package's postinstall.js script harvests installer-side secrets and ships them to a hardcoded bare-IP C2 endpoint. Specifically, ...

Malicious code in events-runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca Package name and description impersonate the popular events package Node's event emitter for all engines. The vendored events.js adds an undocumented...

CVE-2025-14713

An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

MAL-2026-5164 Malicious code in @emcd-vue/b2b-pay-form (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform...

Malicious Package

Overview @cloudplatform-single-spa/container-registry is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

Malicious code in @t-in-one/add_application (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

Malicious code in @t-in-one/add_application_service_token (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More

Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile...

Malicious code in @cloudplatform-single-spa/evocs (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @cloudplatform-single-spa/svp-interfaces (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @cloudplatform-single-spa/iam (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @cloudplatform-single-spa/ml-ai-agents-system-prompt (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

MAL-2026-4914 Malicious code in @cloudplatform-single-spa/dns (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @car-loans/deal-aff (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

Malicious code in @cloudplatform-single-spa/arenadata-db (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @cloudplatform-single-spa/redirect (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...