Malicious code in bash8 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 cc82142b2f705e97dabfd2945e1f4686296211b857a6ccda5195803650bddf63 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in npm-sandbox-research-c5d6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b The package declares a postinstall hook "postinstall": "node run.js" that executes automatically on npm install. The shipped beacon scripts...

MAL-2026-5760 Malicious code in npm-sandbox-research-c5d6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b The package declares a postinstall hook "postinstall": "node run.js" that executes automatically on npm install. The shipped beacon scripts...

MAL-2026-5732 Malicious code in houzidawang808 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654 The package presents itself as a 'simple date formatting utility' index.js exports a trivial formatDate wrapper around toLocaleDateString, but ships ...

Malicious code in pc-optimizer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f046d16052b9121c55f2fd5e6eb2be90ce24e7b007efca3c2a9e7f64dab8f6bf The package's collect.js imports childprocess, fs, http, https, and os, reads host identifiers via os.hostname and os.homedir, inspects local...

Malicious code in gpt-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9bdc5e04979d5b4f73407bcedaecc9df24dbb03e0bfbc0edefe333023dc50c On npm install, postinstall.js runs unconditionally and collects a wide range of installer-side reconnaissance data: hostname and FQDN, contents of...

Malicious code in @w2d/web-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b8292b80f3e692b249561a14d94d2dfa0196f2377e7eee027b8dd630d251bd1 The package targets the @w2d scope with an artificially high version 2.999.999 — the canonical dependency-confusion shape designed to outrank an...

MAL-2026-5544 Malicious code in pocteszep (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d The package's npm preinstall lifecycle script runs wget --quiet...

MAL-2026-5540 Malicious code in @monitoring-lib/error-tracking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d On npm install, the preinstall lifecycle hook in package.json runs a Node one-liner that reads the installer's hostname os.hostname and username...

Malicious code in zer0onedatetool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52 The postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated b...

MAL-2026-5532 Malicious code in icinga (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d PyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real...

MAL-2026-5522 Malicious code in @orion-design-system/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f package.json declares a preinstall hook that runs an inline node -e script reading os.hostname and os.userInfo.username and transmitting them via HTT...

Malicious code in mcp-server-postgres (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0b86cc4cf49b5d6cda37126f6a0c7c9f9fec648eb4d4743b6f39423613d3122 Package squats the unscoped name mcp-server-postgres impersonating the official scoped MCP postgres server. package.json declares "postinstall": "nod...

MAL-2026-5484 Malicious code in mcp-server-sequential-thinking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 211672c16839ae6cd4e9f10810163da536480f07938b2d51c50ecbbb9f5e90ed Unscoped package impersonating the official @modelcontextprotocol/server-sequential-thinking MCP server. package.json declares postinstall: 'node...

Malicious code in getd-ui-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcdbf66757b102ed524f01c498adae819b02968aa455f57316f4e08af1fb9ea0 On npm install, postinstall.js runs unconditionally scripts.postinstall = 'node postinstall.js' and sends an HTTPS GET to a hardcoded webhook.site UR...

Malicious code in getd-content-management (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44eb41541c340c710ad8afc366ab4642d3809d8d9afef53b99e3704b9dfb684b The unscoped package name 'getd-content-management' impersonates the legitimate @getd/ npm scope acknowledged in the package's own README. On npm...

MAL-2026-5462 Malicious code in @rockawayx/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab @rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node...

Malicious code in @rockawayx/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab @rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node...

Malicious code in @nstrlabs/shared-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445 On npm install, the package's preinstall script runs index.js, which collects host identifiers os.hostname, os.userInfo.username, dirname, process.cw...

Malicious code in @klapp-kyc/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca32e3aa7685d93e36eca726e08096bd0c5ba425172ef254fdf769cc09b46887 On npm install, the package's preinstall hook executes node index.js, which collects the installer's hostname, OS username, current working directory...