@aidps/canvas-flow (>=1.0.0 <=1.0.1), @antv/xflow (>=2.0.1 <=2.2.4) +59 more potentially affected by unknown CVE via @antv/x6-plugin-minimap (>=2.0.5 <=2.0.7)

@antv/x6-plugin-minimap NPM version =2.0.5, =1.0.0, =2.0.1, =0.0.1, =0.0.4, =0.6.0, =2.0.4, =3.0.0, =3.5.1-alpha.3, =0.0.3, =0.2.2, =0.2.1, =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4106...

base-flow (=1.0.6), cmp-graph (>=0.0.1 <=0.0.5) +11 more potentially affected by unknown CVE via @antv/g6-editor (>=1.0.8 <=1.2.0)

@antv/g6-editor NPM version =1.0.8, =0.0.1, =1.0.13, =1.0.0, =0.1.0, =1.0.0, =0.0.1, =0.1.0, =0.0.2, =0.2.5, =0.2.6 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3986...

MAL-2026-3277 Malicious code in edj-shopify-theme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0e23978c8bb0369f485f8c3e2384f10d9e649d13a3c198475ace4184c3757a5 The package edj-shopify-theme was found to contain malicious code. Source: ghsa-malware...

Malicious code in npm-demoo-1111 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c2199a37f518fbd8345def58b16a83c07aaf6aae9b837f6ec6d96a179f97849 The package npm-demoo-1111 was found to contain malicious code. Source: ghsa-malware 12073b21cd21241e9d8a004221c9e22d323091d95e7b5b9bdde2f1b20883aea4...

Malicious code in developit (npm)

The package 'developit' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server npm.jpartifacts.com...

RUSTSEC-2026-0032 `dnp3times` was removed from crates.io due to malicious code

The dnp3times crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. It was loosely trying to typosquat the dnp3time crate, but otherwise was the same attack as the timecalibrator and timecalibrators malware yesterday. The malicious...

Malicious code in spark-ar-jest-mocks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a67c582fb00bd7fd05adc5f9680fed203dd43086ab6efbcbec369bb386eaeb6f The package spark-ar-jest-mocks was found to contain malicious code. Source: ghsa-malware...

MAL-2025-192998 Malicious code in @vietmoney/react-native-smart-gallery (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cdecb4163903c7cab6a325ea865641719253be69a34f76a172a717792a8b53bb The package @vietmoney/react-native-smart-gallery was found to contain malicious code. Source: ghsa-malware...

MAL-2025-192872 Malicious code in sturdyfetch3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51688b3b85839d3b57f16cceb31d5a8eea4de19c3d9ad73395386c9a7b0ef1ca The package sturdyfetch3 was found to contain malicious code...

Malicious code in ctfvamp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60afd58ec7b3c88e49140c847bac2c30a9e0e6d9f4f700125d59a3302bb9dac2 The package ctfvamp was found to contain malicious code. Source: ghsa-malware 813e410e18d7609781e8b8a67e5750a2e2652e69245b8a6d343d9ea8364d75a6 Any...

@vex-chat/spire (>=1.0.0 <=1.10.3) potentially affected by unknown CVE via @asyncapi/web-component (=2.6.5)

@asyncapi/web-component NPM version =2.6.5 is affected by a known vulnerability. The following packages have a transitive dependency on @asyncapi/web-component and may be impacted: - @vex-chat/spire =1.0.0, =1.10.3 Source cves: unknown CVE Source advisory: OSV:MAL-2025-190721...

siddheshtea (=1.1.6) potentially affected by unknown CVE via muklis-30 (=1.0.0)

muklis-30 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on muklis-30 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-160815...

siddheshtea (=1.1.6) potentially affected by unknown CVE via muklis-39 (=1.0.0)

muklis-39 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on muklis-39 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-160823...

siddheshtea (=1.1.6) potentially affected by unknown CVE via nokire-nakala42 (=1.0.0)

nokire-nakala42 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on nokire-nakala42 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-162995...

siddheshtea (=1.1.6) potentially affected by unknown CVE via muklis-29 (=1.0.0)

muklis-29 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on muklis-29 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-160813...

siddheshtea (=1.1.6) potentially affected by unknown CVE via nudela-aahaf0gf-gaafodfa (=1.0.0)

nudela-aahaf0gf-gaafodfa NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on nudela-aahaf0gf-gaafodfa and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-163708...

MAL-2025-191624 Malicious code in ethaddrlib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9dc2b3682a4269e98a57e232f473846d94e0c74209349b54e1ccc5c669110c47 Package claims to validate mnemonic, a sensitive part of cryptocurrency system. The responsible functions, however, send given data to a remote service, and no...

Malicious code in @testcarrot/supply4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 58c554af87914a43458082a747e4709d285f86a900c2c36e1f9d548a0281608e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vite-plugin-opticompress (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2944281b796b865693c16f2bb84aa5a7e7060d92c19fe89079b20f7f4c63ba70 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-47696 Malicious code in node-ts-cjs-web (npm)

--- -= Per source details. Do not edit below this line.=-...