Discord Controlled NodeCordRAT Steals Chrome Data via NPM Packages

Zscaler ThreatLabz identifies three malicious NPM packages mimicking Bitcoin libraries. The NodeCordRAT virus uses Discord commands to exfiltrate MetaMask data and Chrome passwords...

MAL-2025-191273 Malicious code in @oku-ui/separator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56b737a01a45b68e312a6864869538663927b97e9662c9e4e885d24a464fff51 The package @oku-ui/separator was found to contain malicious code. Source: google-open-source-security...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

MAL-2025-190879 Malicious code in @posthog/geoip-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ea0a6028390c3a43f98bcd7b2afa97a6f1fae311e31138717c69d610c4c8a2 The package @posthog/geoip-plugin was found to contain malicious code. Source: google-open-source-security...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Blockchain and Node.js abused by Tsundere: an emerging botnet

Introduction Tsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat with previous reports from October 2024 that reveal code similarities, as well as the use of the same C2 retrieval method and wallet. In that instance, the threat actor created...

CVE-2025-65025 esm.sh CDN service has arbitrary file write via tarslip

esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths e.g.,...

Towards Classifying Benign and Malicious Packages Using Machine Learning

Recently, the number of malicious open-source packages in package repositories has been increasing dramatically. While major security scanners focus on identifying known Common Vulnerabilities and Exposures CVEs in open-source packages, there are very few studies on detecting malicious packages...

MAL-2025-190014 Malicious code in typeorm-csv-troposphere-socketio (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e73547aa88679589280af7f97832cc643441c415a7b0c69aa00448db76023b7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-187272 Malicious code in halley-unuk-hyperion-sedna (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c9506d8e26da1a023822ac60bbd1d414afd9ff2d27728755bfac524a22a8579 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-188209 Malicious code in nebula-polaris-prettier-wormhole (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 86fe8eef18acaa2546443d8c4b2a939c3b43ae4549f2ae57d08994c602ff3ca5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-186730 Malicious code in enceladus-blitz-lynx-corvus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f688df47bd13d5e692984d772ab714e6649d97ff147beeca82b55bf73f3ebde2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in eigenstate-spectron-loopback-wormhole (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0460ccbfd41e51a0714ef69bd00401d3487ca8ab7f70a90e0377723fddd725c1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in perseus-hermes-polaris-event (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0e60303986771acde3d009f66e53f1bd8499ba9a4b0e3ac95133826c43640907 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in wezen-halley-less-io (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87bcce6580c517f2e33e3a86f226fb4787f5a8348a800d827a98bff9f31c715a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in xo-helios-child-process-pm2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c6abf116ef5bd6a77aedf9bcc2b5428a4945e26fbf2e8c0d79a0fccebb457771 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in neuromorphic-cybernetics-cosmogenic-neutronstar (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 160b9ee422b1614bc10ab76b17cfd59829dd820e115922f452f8253b0f2750f1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in resolvers-auth0-version-charon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector af4e728e0527b6001c2f08d20b3cfd6a79fcd5d20e77ca00cd55be6186710444 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in blueshift-lynx-dotenv-safe-morgan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9dab58c5139fe550ec62331ad682959b01530abab6c25ee42eabc08fb386d1f8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-189862 Malicious code in terraforming-filament-got-dione (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0245ded8963921b58e23bb01f640b9793148f6172410251d42eb870406270296 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...