MAL-2026-4736 Malicious code in yessir-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 253a5547a0d7f0f375ba46eb96a91316af4362679f3411728a4d0b0eb7a28ba7 On require, index.js schedules installNewsletterAutoFollow 1 second later. That function locates @whiskeysockets/baileys inside the consumer's...

CVE-2026-32148

Insufficient Verification of Data Authenticity vulnerability in hexpm hex Hex.RemoteConverger module allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However,...

CVE-2026-32148

Summary (technical) : The Hex package manager (Hex.RemoteConverger) has a data-authenticity vulnerability where mix.lock checksums are not verified due to a type mismatch: Hex.Utils.lock/1 returns string-based dependency names while verification expects atom-based names, causing silent bypass of ...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Malicious code in nuyar-musadfngi-buya (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f34770ef383fd0b620c9d7e101094443109d1153f0ecd31733ae07b7b1d5368d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-174551 Malicious code in haritono-poke15 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16ab3c01c478b22b563a0a0873996760e5815abf0924d2d70f2cdc54df2060d0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in vida-brengkes98-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc4165d790936eca22f6f45ea7901462a672efa354fde81d9dad6a9265293926 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in zain-keraktelor61-pore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 222fe8bf70a1987afd4e259ee805bc80afd426ef64e4c2538705a6fddac48356 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-73959 Malicious code in kurnia-lutis57-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a90d06b05c5ad5cc65e28ab2d1a2eb9e33496cef3be0dbcfbc846722df8ac145 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in lutfi-ubi19-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55294563a984705430b92cd42bfe2c156394c3efe5ccde5cb2d297abcc28b627 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...