Malicious code in @emcd-vue/auth (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to pose as an internal Vue.js front-end tooling package from "EMCD Platform Engineering." The package...

MAL-2026-5163 Malicious code in @emcd-vue/auth (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD emcd.io, a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to pose as an internal Vue.js front-end tooling package from "EMCD Platform Engineering." The package...

MAL-2026-4969 Malicious code in @cloudplatform-single-spa/serverless-containers (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

MAL-2026-4711 Malicious code in wao (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f809db41305575dc4eeed6726bdc75000e7f083dee4599ad71fd7b5eb89b2501 package.json declares "preinstall": "./src/deps.ts", but src/deps.ts is not TypeScript — it is a 976KB Linux x86-64 ELF executable magic bytes...

Malicious code in aonote (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df30872a579b6ce2419993ff9bad621f42347097dd43551a26583223e6a98a7b package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976KB UPX-packed Linux x86-64 ELF sha256 36abd242... shipped ...

MAL-2026-4437 Malicious code in @service-suppliers/set_selected_supplier (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eba319282947a6dfb83a31cec6127e62594cc16160bd9c74cee3feee349c4b07 The postinstall hook in scripts/postinstall.js performs two independently-blocking actions on every npm install. First, it scrapes installer-side...

MAL-2026-4699 Malicious code in utils-mf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d338ea2a5c454a5a0352e6fb29bd940027bc4b8c349649f6356c4fc4f396272 Package metadata advertises 'utility mf' with main 'index.js', but the shipped main is a 15.7MB obfuscator.io-style blob preceded by 8MB of...

MAL-2026-3759 Malicious code in env-threads (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfb511e0bf06367ec0341939aa68ee55859344c6ca6cb8d9f55f7e62cdcc8656 Package env-threads impersonates the legitimate dotenv package: its README, repository URL git://github.com/motdotla/dotenv.git, homepage, descriptio...

CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS

An attacker can achieve Full Account Takeover and Privilege Escalation via Stored DOM XSS in the backup module's filename field, which is manipulated through an SQL file that tampers with the filename field to contain a hidden XSS payload...

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

Cybersecurity researchers have discovered two malicious packages in the Python Package Index PyPI repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan RAT. The packages, named spellcheckerpy and spellcheckpy , are no longer available on PyPI, but...

Malicious code in vielcord (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4663c6d9af6fa1feac7fd1719e4ff1a729bc8297eec7ce927a13804d475d2c8b During the execution, the package silently download and runs a JAR not related to the package job. At the time of analysis, the content was corrupted ---...

MAL-2025-47510 Malicious code in vielcord (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4663c6d9af6fa1feac7fd1719e4ff1a729bc8297eec7ce927a13804d475d2c8b During the execution, the package silently download and runs a JAR not related to the package job. At the time of analysis, the content was corrupted ---...

Malicious code in ctf-q21-empire-tmp-bw134345 (PyPI)

--- -= Per source details. Do not edit below this line.=-...

CVE-2025-50472

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the loadmodelmeta function of the ModelFileSystemCache class. Attackers can execute arbitrary code and commands by crafting a malicious serialized .mdl payload,...

CVE-2025-50472

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the loadmodelmeta function of the ModelFileSystemCache class. Attackers can execute arbitrary code and commands by crafting a malicious serialized .mdl payload,...

MAL-2025-191721 Malicious code in enumer-iam (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8062489d0fe9ae58c1937e4afba7f0f3adfbd507e07dd81bb9450bf7f58c6943 This campaign is built from two parts: 1 packages named like time-check-server, snapshot-photo contain an innocent-looking code that sends "date" to a remote...

MAL-2025-615 Malicious code in marked-as (npm)

This package is imitating the popular marked library. It contains a VBScript to extract a bundled PE payload, make it hidden, and execute it. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 16c9c50d2f56b3edc3a26ddebf2c1da3ef628b3aa1c8da23bc2e5b0b2b157dea Any compute...

Malicious code in marked-as (npm)

This package is imitating the popular marked library. It contains a VBScript to extract a bundled PE payload, make it hidden, and execute it. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 16c9c50d2f56b3edc3a26ddebf2c1da3ef628b3aa1c8da23bc2e5b0b2b157dea Any compute...

MAL-2023-8573 Malicious code in pyhulul (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx f22a13d592f8a4de9eaf39b1c4c0c149232890e90dc5cff2988d49901d31a3e2 Malicious packages campaign targeting developers, payload is hidden using Steganography, exfiltrate host information...

MAL-2023-8586 Malicious code in pystob (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx f7f671a57787306aed1f0f0baf0c3026c4cb894d7b968ee5648246b4af795570 Malicious packages campaign targeting developers, payload is hidden using Steganography, exfiltrate host information...