MAL-2026-290 Malicious code in kc-fe-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4347dd194760b4442f9bb1feab4f7133c2413af7958a4081f8cdea8367241da The package kc-fe-cli was found to contain malicious code. Source: ghsa-malware 42b0817927a50dccc81b965c476f842127ddf7f97445006910ebc9f6fa9e8026 Any...

MAL-2026-288 Malicious code in insightvm-ui-nav-menus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f24e901eb03445094160df9df30313f817015ba26cdd09e82d4f527261acda35 The package insightvm-ui-nav-menus was found to contain malicious code. Source: ghsa-malware...

EUVD-2026-3093

Malicious code in spire.officejs-externs npm...

MAL-2026-264 Malicious code in @ux-foundry/palette (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ddd18fdf82036fc2f39aba4198fb081eb4cb5683f9b9308bdb2a0f8539c54275 The package @ux-foundry/palette was found to contain malicious code. Source: ghsa-malware...

EUVD-2026-3087

Malicious code in assurance-common-components npm...

MAL-2026-275 Malicious code in chakra-ui-2--theme-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a88b6a088fbdbcacb5e2fc998737d4c0df9279035121b7bf69a626302c82dfa1 The package chakra-ui-2--theme-tools was found to contain malicious code. Source: ghsa-malware...

MAL-2026-293 Malicious code in lusha-micro-app-messages (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa2763ac2e60a783720a4825cd416a2c3e991ab820c9a11c72d809c5162eb822 The package lusha-micro-app-messages was found to contain malicious code. Source: ghsa-malware...

MAL-2026-274 Malicious code in chakra-ui-2--styled-system (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9c8febe083a3c8d9449ea02eb0ab1ab112c8ea582743da6ce1f0ee9f0cb9d4d5 The package chakra-ui-2--styled-system was found to contain malicious code. Source: ghsa-malware...

MAL-2026-319 Malicious code in vue_frontend_rpc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37b3b39f0c20a8dd65bccdba671ecc5761e03146f454226847e982c424b8c25b The package vuefrontendrpc was found to contain malicious code. Source: ghsa-malware 30e31020ae5911a45b568d33238a4785bb2149dc1a8b474ac220aacb60546551...

EUVD-2026-3073

Malicious code in experian-design-system npm...

Malicious code in experian-design-system (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 629f30cfc3fe4cc45698b5cce11973037d0fa7f6564fc999aef0247701f6fee5 The package experian-design-system was found to contain malicious code. Source: ghsa-malware...

MAL-2026-282 Malicious code in experian-design-system (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 629f30cfc3fe4cc45698b5cce11973037d0fa7f6564fc999aef0247701f6fee5 The package experian-design-system was found to contain malicious code. Source: ghsa-malware...

org.webjars.npm:actions__core (>=1.10.0 <=1.11.1), org.webjars.npm:actions__http-client (>=2.2.1 <=2.2.3) +14 more potentially affected by CVE-2026-22036 via org.webjars.npm:undici (>=4.12.2 <=5.29.0)

org.webjars.npm:undici MAVEN version =4.12.2, =1.10.0, =2.2.1, =0.1.16, =0.1.28 - org.webjars.npm:elasticelasticsearch =8.6.0 - org.webjars.npm:elastictransport =8.3.1 - org.webjars.npm:firebase =10.13.0 - org.webjars.npm:firebaseauth =1.7.7 - org.webjars.npm:firebaseauth-compat =0.5.12 -...

EUVD-2026-2842

Malicious code in webmd-page-common npm...

MAL-2026-258 Malicious code in webmd-page-common (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3ac133760e765dbcb76befb93e31a79e19da15b27c94d4b5da3b8e43c00f2b1 The package webmd-page-common was found to contain malicious code. Source: ghsa-malware...

EUVD-2026-2846

Malicious code in silvermine npm...

MAL-2026-257 Malicious code in silvermine (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b977fbc50506142e7db68fc536bdfd96ccfa135ff0c03f3957d24b716cc4441 The package silvermine was found to contain malicious code. Source: ghsa-malware 194377d773e651f6f01c9662fac716fb338b55f83baafc1c503b692fe1195e5a Any...

EUVD-2026-2096

Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration...

@cenk1cenk2/renovate-config (>=2.3.132 <=2.3.148), @jamietanna/patch-testing (>=0.1.0 <=0.2.28) +7 more potentially affected by unknown CVE via renovate (>=36.109.4 <=40.21.2)

renovate NPM version =36.109.4, =2.3.132, =0.1.0, =0.14.0, =0.5.0, =0.1.0, =0.1.0, =0.0.1, =0.19.0 - @zotero-chinese/renovate-config =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-14927385...

Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration

Summary The user-provided string packageName in the npm manager is appended to the npm install command during lock maintenance without proper sanitization. Details Adversaries can provide a maliciously crafted Renovate configuration file to trick Renovate to execute arbitrary code. The...