CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/06/15 3:54 p.m.•9 views

Malicious code in nativescript-swisspost-pcc-creative-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049 Package masquerades as an internal Swiss Post NativeScript package name nativescript-swisspost-pcc-creative-editor, description literally Security Po...

6AI score

OSV•added 2026/06/09 5:38 p.m.•6 views

MAL-2026-5422 Malicious code in @nstrlabs/shared-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445 On npm install, the package's preinstall script runs index.js, which collects host identifiers os.hostname, os.userInfo.username, dirname, process.cw...

5.5AI score

OSSF Malicious Packages•added 2026/05/29 12:0 a.m.•9 views

Malicious code in @t-in-one/add_application_tid (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

OSV•added 2026/05/29 12:0 a.m.•5 views

MAL-2026-5044 Malicious code in @t-in-one/restore_application_hid_from_storage (npm)

OSSF Malicious Packages•added 2026/05/29 12:0 a.m.•12 views

Malicious code in @t-in-one/add_application_service_token (npm)

OSSF Malicious Packages•added 2026/05/29 12:0 a.m.•12 views

Malicious code in @t-in-one/prefill_credit_data_token (npm)

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•17 views

Malicious code in @debit-ib/mobile-debit-ib-additional-card-form (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•10 views

Malicious code in @car-loans/restore (npm)

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•10 views

Malicious code in @cloudplatform-single-spa/disks (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•7 views

Malicious code in @cloudplatform-single-spa/ml-inference-docker-run (npm)

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•14 views

Malicious code in @cloudplatform-single-spa/dataplatform-metastore (npm)

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•9 views

Malicious code in @cloudplatform-single-spa/advanced (npm)

OSV•added 2026/05/28 12:0 a.m.•6 views

MAL-2026-4921 Malicious code in @cloudplatform-single-spa/evolution (npm)

OSSF Malicious Packages•added 2026/05/20 3:57 a.m.•11 views

Malicious code in @pluxee-connect/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9 On npm install, postinstall.js collects os.hostname, os.userInfo, and process.version and transmits them over plain HTTP to...

OSV•added 2025/03/17 5:49 p.m.•4 views

PYSEC-2025-8 After the owner removed the project from PyPI, another user uploaded a new version with non-working code

The pygments-style-solarized project was removed from PyPI by its owner on 2021-08-26. The GitHub repository was also updated to show unmaintained, and archived on 2025-08-31. Another user uploaded a new version, 100.10.7, which contains non-working code, with clear language that it intends to be...

7.1AI score

The Hacker News•added 2024/04/23 2:0 p.m.•27 views

Apache Cordova App Harness Targeted in Dependency Confusion Attack

Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness. Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor t...

7.2AI score

Exploits0

Snyk•added 2023/03/01 8:18 a.m.•3 views

Malicious Package

Overview png-export is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

9.8CVSS7.1AI score

Snyk•added 2022/06/23 9:26 a.m.•4 views

Malicious Package

Overview region-info is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

9.8CVSS7AI score

Snyk•added 2022/06/23 9:25 a.m.•4 views

Malicious Package

Overview @loomble/cspell-dictionary is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if thi...

9.8CVSS7AI score