145 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 145 npm packages associated with the Mastra namespace "@mastra/", a popular open-source JavaScript and TypeScript framework for building artificial intelligence AI applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from...

Malicious code in easyaillm (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6268f175708584b9c3de408c80de3dc1162f4d1ddedb1ce6201b90f409b0dea On pip install easyaillm, setup.py runs execbase64.b64decode... which decodes to code that fetches https://pastebin.com/raw/hEF5HaFc, treats the...

Malicious code in bittensor-burn-message (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f574e414f35843b11dbb52cd921ce2f2e57f6292845d4770256bea17b41d86e8 Package targets Bittensor BIP-39 wallet holders. On import, defaults.env loads a hardcoded TELEGRAMBOTTOKEN 8666228137 and TELEGRAMCHATID 8766781014...

Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues

Microsoft on Monday confirmed that it temporarily removed some GitHub repositories in response to a recent security incident that led to 73 of its open-source projects being compromised to inject an information stealer into the code. "Our priority is to protect customers and the broader ecosystem...

Malicious code in xfoofoox (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 94e46dfacc8ffb015e2258d96dedda0eebb7118144ace7021794c88b319ade14 During import, the package starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

Malicious code in spaysrbx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d4bae51ef6cd61eb9bfc38ac2d8dd8ad1f38d22c4e55b8ccdfc53cd2ed94076f On import spaysdata, the package's init.py invokes mainentry in spaysdata/main.py, which performs three attacker-benefit actions automatically: 1 rea...

MAL-2026-5329 Malicious code in spaysdatarbx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bcaa4bf6f81efed82d35081ec059dfcd2f55e50b84f28d8b0ad4d8afe63089f spaysdatarbx is a Windows infostealer disguised as a Roblox DataStore library. On import spaysdata, init.py invokes mainentry wrapped in try/except:...

Pirated PC games are delivering password-stealing malware

A new Windows malware campaign hides inside pirated PC games and modified installers for franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed. Researchers estimate that more than 400,000 devices worldwide have been infected, with around 30,000 users in the US. The infection method ...

Malicious code in bt-burn-watch (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94719a61950dd5cacc26b288c1fe8ef0d12f0e93720b4f1aa98cdf84ff148f0d Package advertises Bittensor subnet burn-rate monitoring but the compiled core module's own docstring describes itself as a 'clipboard logger +...

Malicious code in anthropy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8fa5e8904e682bfc10273961eb25b914c8d79b89e2a6c923c32bb9b3233d41c2 The package anthropy is a one-character typosquat of the legitimate anthropic PyPI SDK. The sole module anthropy.py executes a classic Python reverse...

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer...

Malicious code in spaysdata (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 55bfbc1a93fe9a662ed20b5fb651390a850c8f43e4d68d81677b4ffd0ca17bcf The package exfiltrates Roblox cookies from the victim machine. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaig...

Malicious code in discord-massban (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1b535ff4283b14cd5d93b2e31a997d1c8abd7424e2aa48a993c19e5e7f6b2b3b Package steals data from web browsers credentials, credit cards, history, ... --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2026-5091 Malicious code in discord-ban (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4e19806a65bf83b5648eb280baedca899972d98e8c3f921080390458e8394413 Package steals data from web browsers credentials, credit cards, history, ... --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

Malicious code in crypto-helper (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 bbb379240ef7e43770f6dab576919fa97bd23ffbb8d3e39b31fd656649335fd7 During installation, the code tamper with security settings and downloads and executes malicious executable. --- Category: MALICIOUS - The campaign has clearly...

Malicious code in test-weavedb-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d Package name impersonates the legitimate weavedb-sdk; lib/index.js is a near-verbatim copy of that SDK's Arweave/Warp/EthCrypto class so the package...

MAL-2026-4272 Malicious code in env-loader-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1749501a0825ad4a98638bbab4bd2bd9550436adcb9bb7781b6552735f7f3eb0 The package advertises itself as a benign.env/JSON/YAML loader but its top-level init.py imports a hidden core module that, on every import envloader...

Malicious code in defi-risk-scanner (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a8385c44127ab4250664e1324009461ae329e3684948d692cc679962d59f818 On first import defiriskscanner, the package's top-level init.py unconditionally runs curl -sL...

MAL-2026-4183 Malicious code in openclaw-agent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b89b6a94f589218276e6dabe5accf4a6d6a9b22cd7412cce0a58069bccd76bbb The package is intended to create a backdoor and steal sensitive data, but the analyzed code did not finally exfiltrate the content of sensitive files. ---...

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP. The list of identified packages is below - chalk-tempalte 825 Downloads @deadcode09284814/axios-util 284 Downloads...