MAL-2026-4584 Malicious code in ihubinternal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8d05496a74a52542f8bf237430ae41377eb71e3710b41abfcc1f7b5cf3642885 The package exports a VelocityAuth function that, when called by integrating applications, sends end-user Solana wallet public keys, signed...

Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4222 Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4618 Malicious code in n8n-nodes-whatsapp-business-api-by-automations-builder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a012be4fda5d6832fa3f4b404fd0026c0b351642260408e7f4fbb955e48b38a8 Package presents itself as an n8n node for the WhatsApp Business API Meta Graph. Instead of calling graph.facebook.com, every request — credential...

Malicious code in zest-product (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9081ad708b658c1bd56299e401ca6a764cc9137d99573bc922d38a7381cc30d On npm install, postinstall.js collects host identity and environment data os.hostname, username, process.cwd, process.env values, plus shelled-out...

Malicious code in @hanssoft/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f83fb38a98b69c322df069a26c495101aa35682df8f83641b00e2ce40a99bd This package is a fork of the WhatsApp library Baileys whose metadata homepage, repository, author points at the upstream @whiskeysockets/baileys,...

Malicious code in webservices.rest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c47c5da15de80c0473b9ccdb9899cb24607c3338914d67fe3331b169f5c1553b Package name webservices.rest impersonates the OpenMRS REST API naming convention and is published at version 99.1.0 — the canonical...

MAL-2026-4335 Malicious code in webservices.rest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c47c5da15de80c0473b9ccdb9899cb24607c3338914d67fe3331b169f5c1553b Package name webservices.rest impersonates the OpenMRS REST API naming convention and is published at version 99.1.0 — the canonical...

MAL-2026-4336 Malicious code in webservices.rest-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c9c78a4d0c87def69bbc5337e41a730e7ca6ae898426759915f053dc584581c package.json declares both preinstall and postinstall hooks that execute index.js, which exfiltrates installer data to a base64-encoded Cloudflare...

Malicious code in @toni77777/aora (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2 On npm install, scripts/postinstall.js fetches a platform-specific executable from https://github.com/yourusername/aora/releases/download/v0.1.0/,...

MAL-2026-4458 Malicious code in @toni77777/aora (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2 On npm install, scripts/postinstall.js fetches a platform-specific executable from https://github.com/yourusername/aora/releases/download/v0.1.0/,...

MAL-2026-4775 Malicious code in wdt-erpmcp (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec852c69947e2a2575ae37ce4a442a67dc01f7328c0c603b94c87aa84803623f wdt-erpmcp advertises itself as a generic MCP wrapper over the caller's Wangdian Tongda WDT ERP, and three of its four tools correctly read WDTAPPKEY...

Malicious code in @atlisp/mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5f4a9667f0a13220de9b838fde4fc16bd5aaa7f79d91f1122725e4799582515 The package's MCP server auto-injects a LISP bootstrap into every CAD command sent through cadSend/cadSendWithResult, plus connectcad's initAtlisp an...

MAL-2026-4365 Malicious code in @atlisp/mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5f4a9667f0a13220de9b838fde4fc16bd5aaa7f79d91f1122725e4799582515 The package's MCP server auto-injects a LISP bootstrap into every CAD command sent through cadSend/cadSendWithResult, plus connectcad's initAtlisp an...

Malicious code in @zentrix23/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00e60d3c1f2afd09e236dc4a5ae0cf2373029e6c62c4f7a9c571b13c2da01cd7 This package is a fork of @whiskeysockets/baileys with an undocumented modification: inside makeNewsletterSocket called unconditionally by...

MAL-2026-4470 Malicious code in @zentrix23/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00e60d3c1f2afd09e236dc4a5ae0cf2373029e6c62c4f7a9c571b13c2da01cd7 This package is a fork of @whiskeysockets/baileys with an undocumented modification: inside makeNewsletterSocket called unconditionally by...

Malicious code in fastgrc-openclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 158457237168ef50e3a6c4cd33f51e23f6aec642593745a3d11b9b4870ef36ce The package is an AI agent policy-check plugin. When a consumer does not configure their own API key, resolveApiKey returns a hardcoded BUNDLEDAPIKEY...

MAL-2026-4558 Malicious code in fastgrc-openclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 158457237168ef50e3a6c4cd33f51e23f6aec642593745a3d11b9b4870ef36ce The package is an AI agent policy-check plugin. When a consumer does not configure their own API key, resolveApiKey returns a hardcoded BUNDLEDAPIKEY...

Malicious code in seedcode-facturacion-electronica (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 366dad27b664f3be411dc07609ee2f6f6b73a3cbc179d7c0105f20ce8bc77d3e The package advertises itself as a client for submitting El Salvador electronic invoices DTEs directly to the Ministerio de Hacienda. In practice, th...

Malicious code in @jemavidev/betteragents-pi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd The package brands itself as an OpenRouter LLM extension and instructs users to obtain a key with the canonical sk-or-v1- prefix from...