3 matches found
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-097 / GHSA-gj8w-mvpf-x27x - Advisory URL:...
MAL-2026-6374 Malicious code in evil-pkg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fafd2d99f9cf4494726ad31b7444c029e6af96702066992ae4b0741c5239b1a Package declares "bin": "node": "./shim.js" in package.json, which registers shim.js as the node command in nodemodules/.bin. In any environment wher...
MAL-2026-4482 Malicious code in arnext (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f package.json declares "preinstall": "./vendor/setup", which runs a 976,568-byte Linux ELF binary on every npm install. The package's stated purpose i...