Malicious code in qazaq-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31fa15731b4c683297d550bb3157dff08f2bfa3db01c14952cd35c7c61407d0a The package's default AI provider hardcodes the destination opengateway.gitlawb.com/v1/chat/completions with header api-key: 'not-needed'...

MAL-2026-4654 Malicious code in qazaq-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31fa15731b4c683297d550bb3157dff08f2bfa3db01c14952cd35c7c61407d0a The package's default AI provider hardcodes the destination opengateway.gitlawb.com/v1/chat/completions with header api-key: 'not-needed'...

Malicious code in promptbook-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1223e123a8bd5b550647d800b438b2c5a78f3e10c9d1ab7a6a7cdbd8be465b90 dist/api.js contains a hardcoded URL https://promts.newtechcompany.ru referenced alongside process.env reads and a fetch call at line 44. The package...

MAL-2026-4560 Malicious code in fca-official-uzair-rajput (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83c96ed99bb1a48e80228ec0ca012c1dbb7817fe1dbbd492fcb3d2927805f29e fca-official-uzair-rajput is a Facebook chat API library whose only documented entry point, login, invokes an auto-update routine on every call when...

Malicious code in @touchvue/chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0921a05dced95d8d0bb5d99de362f67e4e67832874fb0b4391629f5dfe6e926d The published tarball's chat components AiChat/Chat/useSSE.js and AiChat/ChatInput.vue2.js ship with hardcoded defaults that point the chat backend a...

MAL-2026-4568 Malicious code in fulcrum-sessions (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3971399e0fb1bd6c61f5306557512ed22dc0605747526b600b08626a50eb31e src/config.js hardcodes a live Telegram bot token bot id 8656735452 and a default groupId -1003974755050 pointing at a chat owned by the package...

MAL-2026-4562 Malicious code in figma-d2c-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b65db74a06749bbb141552f97e91b15d5bdd91b57a0136dfc8bfb4034b659c8f The package ships dist/report.js, a one-line module that issues an HTTPS POST to https://www.baidu.com carrying values read from process.env. The...

Malicious code in @serviceshub/x-web-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1cd81c2623e8f621801dcbfbf7d7eb8745bf702f1d5e85e410872400c7d2eea7 Package ships a trivial index.js module.exports = ; and exists solely to pull a direct-URL tarball dependency at install time. package.json line 9...

MAL-2026-4652 Malicious code in python-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b94c01fae325c5f5e92abd5da03527c54e22bb48202b1dc8b3e2c64947753b2 package.json declares "preinstall": "./dist/typecheck.js". The referenced file is not JavaScript — it is a 5,224,556-byte Linux x86 ELF executable...

MAL-2026-4182 Malicious code in stripe-internal (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e7a911f1602bed2fda7cbacff6567286433df29592c24839ae9980c7fff0e6b4 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-4702 Malicious code in vestibulect (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82da0f0bb40f42e69defbea694db093f2ad880c8c094508f61e2d7fe58550e2e package.json declares a postinstall hook "postinstall": "node install.js" which executes install.js automatically on npm install. install.js imports ...

Malicious code in @trackking/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64d51e587bc0b6508fa3d38027f18d42d9ab4b6ccdb8dd2760543e8c52d6bb18 @trackking/[email protected] is an empty stub: index.js is module.exports = , package.json has no description, no author, ISC license, and a high-number...

Malicious code in wallet-agent-ai-radix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60a953d7785091650f4f48e0b038e71ad79788102ffd652bff4bb0e8bf40ea21 dist/agent.js contains a hardcoded Telegram Bot API endpoint https://api.telegram.org reached via fetch with a POST body that includes values from...

Malicious code in ezymail (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass Gmail App Password to a...

MAL-2026-4557 Malicious code in ezymail (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass Gmail App Password to a...

Malicious code in @venturo/playwright (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0e9a29f430bb3a664936cb27d7cc0dc6f3e8764ae0fae7e9fc8e001fcece43c8 @venturo/playwright impersonates Microsoft's @playwright/test: package.json sets author to 'Microsoft Corporation', homepage to...

MAL-2026-4242 Malicious code in foundy-toolkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d117fe522ec0aee9271963b02fb9a61b7e5005b5494331368b58f46c05c944cd On npm install, the package's postinstall script runs an inline node -e that shells out to curl -fsSL against an ephemeral Pinggy free-tier tunnel ho...

Malicious code in foundy-toolkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d117fe522ec0aee9271963b02fb9a61b7e5005b5494331368b58f46c05c944cd On npm install, the package's postinstall script runs an inline node -e that shells out to curl -fsSL against an ephemeral Pinggy free-tier tunnel ho...

MAL-2026-4659 Malicious code in rdflib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb9a536a077e23bda8e10a55aa1177de28f4f5a8622e08914eeab437e8036940 package.json for this release declares two runtime dependencies — "package-lock.json": "^1.0.0" and "package.json": "^2.0.1" — inside the dependencie...

MAL-2026-4443 Malicious code in @shinzepelly/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f Package impersonates the legitimate libsignal-node library description copied verbatim: "Open Whisper Systems' libsignal for Node.js" under an...