MAL-2026-6091 Malicious code in datacamp-light (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c Package impersonates the DataCamp brand while shipping near-empty stub exports index.js init/helper return trivial constants. The postinstall lifecyc...

Malicious code in portal-backend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5aca21d0e952f5ba313432cf5d47e41f185d19e65d894a005cce20be90d4985 On npm install, the package's preinstall hook executes postinstall.js, which enumerates process.env and filters keys matching a broad credential-shap...

MAL-2026-5697 Malicious code in web-model-bridge (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893 On npm install, postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS,...

Malicious code in @nstrlabs/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de7b47a7f81209dbbaff286599b46f4f030ff992b6d0c25d947cc84739b838d9 @nstrlabs/[email protected] is a hollow package whose only behavior is an install-time exfiltration beacon. package.json declares "preinstall": "node...

MAL-2026-5418 Malicious code in @nstrlabs/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de7b47a7f81209dbbaff286599b46f4f030ff992b6d0c25d947cc84739b838d9 @nstrlabs/[email protected] is a hollow package whose only behavior is an install-time exfiltration beacon. package.json declares "preinstall": "node...

Malicious code in privacy-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c92b5d6dae289f8667ca24f2a941473b65e560f6937874f68ff26ed24d58969 [email protected] is a hollow wrapper index.js is module.exports = , blank description, blank author whose sole runtime dependency is declared as a...

MAL-2026-5448 Malicious code in mazemap (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 751317dcad79cec866b8dc69cd60b39e3be8e1bcc45746039835b04ce32445b0 package.json declares its only dependency ltidisafe as a direct HTTPS tarball URL https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.0.2.tgz...

Malicious code in housecall-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe [email protected] is a hollow npm package empty description, empty author, index.js exports an empty object whose sole runtime dependency is declar...

MAL-2026-5446 Malicious code in housecall-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67e32f5c0c623ab57ac1de78fb5e118394d96f79b760af74d4127f775a0a97fe [email protected] is a hollow npm package empty description, empty author, index.js exports an empty object whose sole runtime dependency is declar...

Malicious code in @sec-loans-ui/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9 Package is a hollow lure: index.js is a 35-byte stub module.exports = , description and author are empty, and the version is bumped to 99.9.1 — the...

MAL-2026-4432 Malicious code in @sec-loans-ui/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9 Package is a hollow lure: index.js is a 35-byte stub module.exports = , description and author are empty, and the version is bumped to 99.9.1 — the...

MAL-2026-4465 Malicious code in @web-3d-tool/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a1e96a726cf0732113215b2026a7a59fc6bf471f86d34153fea3a0e32b275fb5 @web-3d-tool/sdk is a near-empty package trivial 35-byte index.js, empty author/description metadata whose only effect on install is to pull in a...

CVE-2021-28099

In Netflix OSS Hollow, since the Files.existsparent is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated...

EUVD-2025-98174

Malicious code in hollowspiderz3n npm...

EUVD-2025-74572

Malicious code in hollowmeerkattan-52 npm...

EUVD-2025-76655

Malicious code in hollowdinosaur-silentdev npm...

MAL-2025-103741 Malicious code in hollow_dinosaur-silentdev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8a7ef8b88ccf1ad7efe32f7bb8520f604fb0eae09220aef1dd870478c0e6593 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in hollow_gibbon_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 870f8a5699f306fade227e67945b4f289c00a09419ec9bba863d5614653e3dbe This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-81689

Malicious code in hollowshark0xrequest npm...

Malicious code in hollow_mosquito_0xrequest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dba94db2447a6e736219cdf3bd637aeee307a48d10542b45abacc8319d3bf21d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...