302407 matches found
Malicious code in swap-sdk-87 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Inflated version...
Malicious code in crypto-utils-7 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling c960/c961. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 not rotated...
Malicious code in blockchain-helper-0 (npm)
Note: This report is updated by a verification record Crypto/SSH/wallet stealer self-labeled "CRYPTO STEALER". postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot...
MAL-2026-5352 Malicious code in blockchain-helper-0 (npm)
Note: This report is updated by a verification record Crypto/SSH/wallet stealer self-labeled "CRYPTO STEALER". postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot...
Malicious code in @demica/shared (npm)
Note: This report is updated by a verification record Dep-confusion squat of internal @demica/shared at sentinel high version 99.99.100 + auto-exec postinstall canary.js beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy c913;...
Malicious code in @demica/resources (npm)
Note: This report is updated by a verification record Dep-confusion squat of internal @demica/resources at sentinel high version 99.99.100 + auto-exec postinstall canary.js beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy c913;...
Malicious code in @demica/core (npm)
Dep-confusion squat of internal @demica/core at sentinel high version 99.99.100 + auto-exec postinstall canary.js beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy c913; "authorized benign canary" framing does NOT downgrade, raw-IP...
Malicious code in void-ulid (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17c8bf4c8a22f2c86dcf8af482d28d5fccfc1d5971289e4f06afedc17c0585a9 void-ulid impersonates the legitimate ulid/ulidx ULID generator its package.json reuses the upstream github.com/ulid/javascript repo URL but ships a...
Malicious code in xforpy (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 6ebd6a0497e01ef631a2c357263bd1af23d88e8d9a9ae46fe39110571949198c During import, the package starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...
MAL-2026-5332 Malicious code in xforpy (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 6ebd6a0497e01ef631a2c357263bd1af23d88e8d9a9ae46fe39110571949198c During import, the package starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...
MAL-2026-5330 Malicious code in bittensor-burn-alert (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06e89dc9ff0a5d334b67a01c572c036b0740adf6d8669d2fa25c241a0c098116 The package advertises itself as a Bittensor subnet burn-rate monitor but bundles a covert clipboard surveillance daemon in its compiled core module...
EUVD-2026-35054
Stored cross-site scripting in the service discovery active check output in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an adm...
MAL-2026-5365 Malicious code in quickwinston (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 304b4e430bff604f20121bc97398fa6ee18a25c16187d31b6553248bc54e63c7 The OpenSSF Package Analysis project identified 'quickwinston' @ 3.19.3 npm as malicious. It is considered malicious because: - The package...
MAL-2026-5312 Malicious code in bt-burn-watch (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94719a61950dd5cacc26b288c1fe8ef0d12f0e93720b4f1aa98cdf84ff148f0d Package advertises Bittensor subnet burn-rate monitoring but the compiled core module's own docstring describes itself as a 'clipboard logger +...
Malicious code in classwind-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4fa5abd0e91f5e73a3a17597ecdddbef2409d61a680fd92ea62ce3a908ffb836 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2026-5307 Malicious code in classwind-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4fa5abd0e91f5e73a3a17597ecdddbef2409d61a680fd92ea62ce3a908ffb836 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in regexp-ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9828b4712ac404ec6f143f9c3115eb73ccd4418bab9cb17327ae325d488954e1 regexp-ts masquerades as the pino logger description, keywords, and module.exports.pino export but is actually a remote-code-execution loader. When a...
Malicious code in nodemon-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e62de7b45c63185183f5fe120bd363a176f70cb28d4abfeec9a3686b320a0b96 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2026-5310 Malicious code in regexp-ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9828b4712ac404ec6f143f9c3115eb73ccd4418bab9cb17327ae325d488954e1 regexp-ts masquerades as the pino logger description, keywords, and module.exports.pino export but is actually a remote-code-execution loader. When a...
MAL-2026-5309 Malicious code in nodemon-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e62de7b45c63185183f5fe120bd363a176f70cb28d4abfeec9a3686b320a0b96 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...