MAL-2026-3473 Malicious code in @tanstack/router-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bbe10ec33a8ef57cbee1293be08884f598f604cc51b69f3eed2d17217efd462d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/react-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8358ce998650baf1a9cb6bb602109da81268c43855ad0b16f892687cc89f104d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/react-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b329cb477cc0d977f9e8e6df59072ea002d6d041b99531596fbd87b8ff80aefd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/arktype-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00740c1707de87fdde677d596049a754c3269e6b54875d76eb4934a1368b7112 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@squawk/mcp (>=0.2.0 <=0.9.0) potentially affected by unknown CVE via @squawk/airspace (>=0.4.1 <=0.8.0)

@squawk/airspace NPM version =0.4.1, =0.2.0, =0.9.0 Source cves: unknown CVE Source advisory: SNYK:JS-SQUAWKAIRSPACE-16640892...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

MAL-2026-3508 Malicious code in crypto-javascri (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f73f5a262aba7ba05c713d409646e419e998232fd536fd99c51750fa070699 The package crypto-javascri was found to contain malicious code. Source: google-open-source-security...

Malicious code in @mimecast-ui/charts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e603deff481f2fdd492adde6f7d1f060fa7aa7d15f63abc4cc43fa7782409705 The package @mimecast-ui/charts was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @mimecast-ui/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e59a7d55636b02d0a28954889c22f021de5b4f33c525ce7712706df60cd9af3 The package @mimecast-ui/components was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-3507 Malicious code in @mimecast-ui/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e59a7d55636b02d0a28954889c22f021de5b4f33c525ce7712706df60cd9af3 The package @mimecast-ui/components was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-3427 Malicious code in @cplace-workflow-fe/cf-workflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa219c5fdaf0ec8e6e0467fb1f23bfde9a07c18276187464062943e612848781 The package @cplace-workflow-fe/cf-workflow was found to contain malicious code. Source: ghsa-malware...

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components discovered by ? in WordPress Npm react-server-dom-turbopack versions = 19.0.0, 19.0.6...

Malicious code in byvendors (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d3ae01e4f5473c61cf7c26fdf51f64fa34c7f16451ce6c093a52fd85b79eff5 The package byvendors was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-3415 Malicious code in ac-sasskit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8d0a627b8de0f6fc1b418dbc3f6242c1b3c4a0e39e5de9d6b70edce441d72db The package ac-sasskit was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in rsflows-pexml (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ef5b11ec067e18cc3a024fee21e569e0f44cf180619e974cbb1dd8325e1b10c The package rsflows-pexml was found to contain malicious code. Source: ghsa-malware f1f4ac6cd17db4404613301b8405f7033d584985cb52af8c0aee3042bc1c0c8d...

MAL-2026-3422 Malicious code in rsflows-pexml (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ef5b11ec067e18cc3a024fee21e569e0f44cf180619e974cbb1dd8325e1b10c The package rsflows-pexml was found to contain malicious code. Source: ghsa-malware f1f4ac6cd17db4404613301b8405f7033d584985cb52af8c0aee3042bc1c0c8d...

MAL-2026-3420 Malicious code in noon-contracts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e2a4c1ac3896b7769b47ab6659bf7b0d49f229963c910d0c9b9be11c5291c12 The package noon-contracts was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @miurba/alcazaba (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 36c814274998998c89db63740c3d1032c8da3d6f6f9e44e100328c83e4ea29a0 The package @miurba/alcazaba was found to contain malicious code. Source: ossf-package-analysis...