142 matches found
Malicious code in class-synth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271 class-synth is advertised as a small class/style/date utility library, but its main entry dist/index.js contains a hidden top-level async IIFE init...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
Malicious Package
Overview @cloudplatform-single-spa/svp-vdi is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
MAL-2026-5040 Malicious code in @t-in-one/only_difference_payload (npm)
Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...
MAL-2026-4931 Malicious code in @cloudplatform-single-spa/marketplace-gigachat (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
Malicious code in @mlspace/allocations (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
MAL-2026-4904 Malicious code in @cloudplatform-single-spa/dataplatform-bi (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
MAL-2026-4925 Malicious code in @cloudplatform-single-spa/key-manager (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
MAL-2026-4349 Malicious code in clob.api (npm)
A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...
Malicious code in vlifegram (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8771013473b84f29159a80ec15ce3e9897bc69908ddfa2438845811dd276d87c VLifeGram is published under its own name on PyPI but installs into the pyrogram/ namespace and ships a Pyrogram fork at version 2.1.2.4. It adds an...
Malicious code in puan4 (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 6be2e7028440f68ad3621664d195d72288e6a1d8658f16a421f3ec52d63d6f7a During import, package automatically starts a connection to a C2 server, exfiltrates information about the host and data like sensitive files and browsers' dat...
MAL-2026-3136 Malicious code in timestamp-py (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 d48be8ff856b19622d8bc8417db82b8752c41fb88aec5cd89d04bbee1bc729ef During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
PowMix botnet targets Czech workforce
Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call "PowMix." PowMix employs randomized command-and-control C2 beaconing intervals, rather than persistent...
MAL-2026-2479 Malicious code in strapi-plugin-nordica-tools (npm)
strapi-plugin-nordica-tools is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...