MAL-2026-5373 Malicious code in @doaction/http (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0558fc0fe6ab95434c0f041b1ed88e02039379e9052dbfd3e0faf35a8e8d5d5f Package version 9.9.9 is the canonical version-pinning marker used to outrank any private package during npm dependency resolution. The package...

MAL-2026-5375 Malicious code in @doaction/pay (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94ec95e460ba16497749775ca5e0bac92e4013e2297dd506bb2b99254acffaf3 @doaction/pay 9.9.9 declares "preinstall": "node scripts/postinstall.js" in package.json, which requires @doaction/shared/bin/postinstall.js and runs...

MAL-2026-5381 Malicious code in @doaction/systeminformation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d2fd59d1828036e5c2cc49573fe68220054d50c3d41e0782735809a4c05ac45 Package name @doaction/systeminformation impersonates the widely-used systeminformation npm package and is published at suspiciously inflated version...

MAL-2026-5378 Malicious code in @doaction/signalhub (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7bca1eff18553fad58ccd2097810887a61afc717b44a657c6674bfa7317bb41 @doaction/[email protected] is shaped as a dependency-confusion attack against organizations using a private @doaction scope. package.json declares...

MAL-2026-5380 Malicious code in @doaction/sudo-prompt (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 488a945e315d4824a3cc9dbb099b6eb414d12692164cb2c965626725ff64776a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5379 Malicious code in @doaction/storage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e2555ac1fb49d2dac0108e398a6acffa2bffa1a86326db5fa384ed1232fdab89 Package @doaction/[email protected] is shaped as a dependency-confusion attack against the private-looking @doaction scope. The 99.99.99 sentinel...

MAL-2026-5372 Malicious code in @doaction/examples (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 361bc047872fceb7885c47404eef734b43ce8e5e7f13554e79d011be6f383339 @doaction/[email protected] declares preinstall: node scripts/postinstall.js in package.json, which requires @doaction/shared/bin/postinstall.js. The...

Malicious code in @doaction/shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caba10985bd532eb067af52e175856a72552c9b9306895ea9fba9c1083277248 @doaction/[email protected] is a dependency-confusion lure that exfiltrates installer environment metadata on every npm install. package.json declares...

Malicious code in @doaction/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f96ec00bc5ed7192c8483a1b27f2212ce64e5a86f1dc309b66d14ea969de00fb @doaction/[email protected] is shaped as a public-registry shadow of a private internal package: scoped name pattern, inflated 99.99.99 version, and a...

MAL-2026-5371 Malicious code in @doaction/example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5632bd1a9818c4a4af54e5297d40c10279d83e702ee5f59fa9bd50c52a33e0bd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @doaction/eventemitter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5221b351f74900764906fd20a62e5c3f390473ed87a1d4fb781e34d3ffd2f623 On npm install, package.json declares "preinstall": "node scripts/postinstall.js", and scripts/preinstall.js unconditionally executes...

Malicious code in @doaction/example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5632bd1a9818c4a4af54e5297d40c10279d83e702ee5f59fa9bd50c52a33e0bd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5370 Malicious code in @doaction/eventemitter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5221b351f74900764906fd20a62e5c3f390473ed87a1d4fb781e34d3ffd2f623 On npm install, package.json declares "preinstall": "node scripts/postinstall.js", and scripts/preinstall.js unconditionally executes...

MAL-2026-5377 Malicious code in @doaction/shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caba10985bd532eb067af52e175856a72552c9b9306895ea9fba9c1083277248 @doaction/[email protected] is a dependency-confusion lure that exfiltrates installer environment metadata on every npm install. package.json declares...

MAL-2026-5369 Malicious code in @doaction/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f96ec00bc5ed7192c8483a1b27f2212ce64e5a86f1dc309b66d14ea969de00fb @doaction/[email protected] is shaped as a public-registry shadow of a private internal package: scoped name pattern, inflated 99.99.99 version, and a...

Malicious code in transacts (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 73ecd84db15b18ea43f39e830199133ca8d17806313e4b6828a1d9105cc4b30c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in os-ulid-void (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 531ba01f5b5d2442cc8070ae6feec31976f9b67957fa3b0936c2cea7b6034b81 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5348 Malicious code in os-ulid-void (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 531ba01f5b5d2442cc8070ae6feec31976f9b67957fa3b0936c2cea7b6034b81 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5354 Malicious code in defi-tools-39 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+, byte-identical to swap-sdk-87. postinstall auto-execs, src/index.js harvests /.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894...

Malicious code in swap-sdk-87 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Inflated version...