MAL-2026-4695 Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +19 more potentially affected by CVE-2026-44009 via vm2 (>=1.0.1 <=3.11.1)

vm2 NPM version =1.0.1, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.7.0, =0.0.1, =0.1.64, =0.1.61, =1.0.0, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.3 and more Source cves: CVE-2026-44009 Source advisory: OSV:GHSA-9VG3-4RFJ-WGCM...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-44004 via vm2 (>=3.0.0 <=3.10.5)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-44004 Source advisory: SNYK:JS-VM2-16438976...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-26332 via vm2 (>=3.0.0 <=3.10.5)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-26332 Source advisory: SNYK:JS-VM2-16419533...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13074 more potentially affected by CVE-2026-41674 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41674 Source advisory: OSV:GHSA-F6WW-3GGP-FR8H...

Malicious code in @usealloy/api-contract (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac2459ced40bf7d07428205c0322e09c951fdc50972f337b30508ad2ad867b37 The package @usealloy/api-contract was found to contain malicious code. Source: ghsa-malware...

Malicious code in @emilgroup/tenant-sdk-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d887c661a1552423bf923bf1028ef4aabb762dc2fa329db39e8b4552ce32803 The package @emilgroup/tenant-sdk-node was found to contain malicious code. Source: ghsa-malware...

Embedded Malicious Code

Overview @emilgroup/partner-sdk is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NPM...

@228-fund/elysia-effect (=0.0.1), @228-fund/elysia-msgpack (>=0.0.1 <=0.0.3) +122 more potentially affected by CVE-2026-30837 via elysia (>=0.1.2 <=1.4.22)

elysia NPM version =0.1.2, =0.0.1, =0.0.1, =0.0.7, =0.0.1-0, =0.0.1, =0.0.3, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =1.6.1-canary.0 and more Source cves: CVE-2026-30837 Source advisory: OSV:GHSA-F45G-68Q3-5W8X...

02url-querystring-http (>=1.0.1 <=1.0.4), 1-0-5-hai-aage-dekhte-hein-kya-aat-hai (>=1.0.5 <=1.0.6) +12780 more potentially affected by CVE-2026-2359 via multer (>=0.0.5 <=2.0.2)

multer NPM version =0.0.5, =1.0.1, =1.0.5, =2.0.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.0, =1.0.3 - 6e-alpha-backend-admin =1.0.0 and more Source cves: CVE-2026-2359 Source advisory: OSV:GHSA-V52C-386H-88MC...

Malicious Package

Overview sokettry is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

EUVD-2025-175739

Malicious code in vega-xerxes-meissa-chalk npm...

EUVD-2025-137339

Malicious code in polymera-anasri npm...

Malicious code in butah-asfui-dufafu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 736fb7d569494914d184dd0525498fe978770f659c68ba0a82f75fb1ff8212e6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-139992

Malicious code in namacida-nutayayafr-kadasida npm...

EUVD-2025-144236

Malicious code in verts-otimnmo-fagofsaposa npm...

Malicious code in sanjaypatel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f9e7c69d287175cc5aa196371c5ff66446885aa49356b949e6b001d638c8e8f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in @mipta19/dggfdhs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 825d6508528d004fea0c43bd5e8c3a8666fe45b18f36fdd9bab90a2030acd846 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in abiba-avbai-aub (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 33887bd8d11ee982683562d6d7c7acfee18617a0816ccc40bd33cfc4cf0ae465 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...