@11ty/eleventy (=3.0.0-alpha.16), @agiflowai/aicode-toolkit (>=0.6.0 <=1.1.0) +96 more potentially affected by CVE-2026-41311 via liquidjs (>=10.10.0 <=10.25.6)

liquidjs NPM version =10.10.0, =0.6.0, =0.1.0, =0.0.0, =0.5.5, =0.8.0, =1.0.1, =1.6.3, =3.11.0, =3.11.0, =3.11.0, =1.0.0-beta.1, =1.0.0-beta.4 - @clairview/api =23.1.0 and more Source cves: CVE-2026-41311 Source advisory: OSV:GHSA-4RC3-7J7W-M548...

@11ty/eleventy-plugin-vite (>=8.0.0 <=8.0.0-alpha.2), @17sierra/config (=0.1.0) +1045 more potentially affected by CVE-2026-39363 via vite (>=8.0.0 <=8.0.3)

vite NPM version =8.0.0, =8.0.0, =0.0.1, =0.1.9, =0.0.15-0.1, =0.0.42, =0.1.8, =0.0.1-bate.2, =0.1.0, =0.1.0, =0.0.8, =0.0.9 - @adhisang/minecraft-modding-mcp =1.0.0 - @aero-js/cli =0.4.0 and more Source cves: CVE-2026-39363 Source advisory: SNYK:JS-VITE-15922242...

4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3647 more potentially affected by CVE-2026-33939 via handlebars (>=4.0.0 <=4.7.8)

handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33939 Source advisory: SNYK:JS-HANDLEBARS-15807042...

4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3647 more potentially affected by CVE-2026-33916 via handlebars (>=4.0.0 <=4.7.8)

handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33916 Source advisory: SNYK:JS-HANDLEBARS-15789775...

EUVD-2025-178441

Malicious code in impulse-blaze-yonder-eleventy npm...

Malicious code in areology-eleventy-cassini-filament (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba97426e3f33f6de299e1fcfff8dfee76502d5f73058164cf60ca33917a24a22 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-179545

Malicious code in cosmicray-nova-regulus-eleventy npm...

EUVD-2025-179802

Malicious code in chai-juno-eleventy-hydrogeology npm...

EUVD-2025-179957

Malicious code in build-eleventy-deneb-gemini npm...

Malicious code in rocket-eleventy-alphard-changelog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08e513a76e72e1fca6eec63742d1bdca68ae829e5cdedb6e60687eab86480607 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-180334

Malicious code in areology-eleventy-cassini-filament npm...

EUVD-2025-178889

Malicious code in firebase-selenology-blitz-eleventy npm...

Malicious code in transform-semantic-ui-eleventy-phoebe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ffc4d6e7b72b0aaa2abde280bb586981de8ed65cc2174a163599fb04f6fa777 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cosmicray-nova-regulus-eleventy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 629a39b0a9e899a2c00667e031e0aa1a1416eb7626b9123e8f696be447ca89b1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-185925 Malicious code in build-eleventy-deneb-gemini (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e60f9254d7e112b0cafa3f70a3f75b052568cb6aba5c5b36c30ab0558c2b06b2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176618

Malicious code in rocket-eleventy-alphard-changelog npm...

EUVD-2025-179737

Malicious code in child-process-loglevel-elektra-eleventy npm...

MAL-2025-186718 Malicious code in eleventy-delphinus-figures-async (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0224ac3cb23c603d157129375e0a9a49860917e8b20c5c455d7932530d367bc9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-186337 Malicious code in cosmicray-nova-regulus-eleventy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 629a39b0a9e899a2c00667e031e0aa1a1416eb7626b9123e8f696be447ca89b1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-186080 Malicious code in chai-juno-eleventy-hydrogeology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a651f6b98ef3ec7de1e3366e3618090aba6d851129a759dc82198724df69145d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...