MAL-2026-2943 Malicious code in turbo-he (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1da17bf1f37303e3d91056c1ce674462279861bc896e413f1d262548ff6b3647 The package turbo-he was found to contain malicious code. Source: ghsa-malware 6bd9985ec0cf97c08347814d88b84c1c12cd8f22507a76e2a78cacb06c6840a6 Any...

Malicious code in pa-marked (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e01d64e50dea2a8be10707dbd49869a6bcea570bf26829a1738ca2237882249 The package pa-marked was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2918 Malicious code in apple-cloudkit-internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1cfcd7e5376478b86db5942e2492ae0763bad14dda004c55988edf420f5e62ce The package apple-cloudkit-internal was found to contain malicious code. Source: ghsa-malware...

Malicious code in ac-sasskit-internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c88124eb460a9e33e146185720f25d78918a3b360c1e41d55889b0b392f7ef5f The package ac-sasskit-internal was found to contain malicious code. Source: ghsa-malware...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +13 more potentially affected by CVE-2026-43530 via openclaw (>=2026.3.22 <=2026.4.11)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-43530 Source advisory: SNYK:JS-OPENCLAW-16109736...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +14 more potentially affected by CVE-2026-43526 via openclaw (>=0.0.1 <=2026.4.11)

openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 and more Source cves: CVE-2026-43526 Source advisory: OSV:GHSA-2767-2Q9V-9326...

OpenClaw: Empty approver lists could grant explicit approval authorization

Summary Empty approver lists could grant explicit approval authorization. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.12 Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization,...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +13 more potentially affected by CVE-2026-43584 via openclaw (>=0.0.1 <=2026.4.1)

openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =3.3.2, =3.3.7 Source cves: CVE-2026-43584 Source advisory: OSV:GHSA-VFP4-8X56-J7C5...

Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Executive Summary This report documents a critical security research finding in the compressing npm package specifically tested on the latest v2.1.0. The core vulnerability is a Partial Fix Bypass of CVE-2026-24884. The current patch relies on a purely logical string validation within the...

MAL-2026-2926 Malicious code in material-ui-plugin-cache-endpoint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45efd49ad74d002b46224881218cf53c763e58c0b71ed3d3ff3a79d1021f3a64 The package material-ui-plugin-cache-endpoint was found to contain malicious code. Source: ghsa-malware...

Malicious code in value-slider (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector abf877173b9292185a66f77e03a35a1964c716f9cc053cd68cfd66fa005843fa The package value-slider was found to contain malicious code. Source: ghsa-malware cf716f2e826f45d1313d19d4691315d634d3199be557367c4346af4481aec65c A...

MAL-2026-2822 Malicious code in ing-web-v5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f32dd0f0eff32e970526305378a6623e9af62ab133ddcf04a21aa92f1eb95f26 The package ing-web-v5 was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in lightweight-charts-4.1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f7a7bcf5678b42c2da20ad8e444066092ac3a9c17a6c8867a034717d1d8c344 The package lightweight-charts-4.1 was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in youpin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d2434bf56ac3bd217b20d87570b4be5eb5c96c17669d38ae4bf7c959dd21b29 The package youpin was found to contain malicious code...

MAL-2026-2806 Malicious code in youpin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d2434bf56ac3bd217b20d87570b4be5eb5c96c17669d38ae4bf7c959dd21b29 The package youpin was found to contain malicious code...

MAL-2026-2805 Malicious code in winston-prisma (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8bc2a581514f0a9f03ad807946bb8aa90ed013936e91ed2a413ced0966986921 The package winston-prisma was found to contain malicious code...

Malicious code in transcript-viewer-ui-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d52899913925c544bb906fcc1d752431c86c54c3465310a8eee4318ba29164e0 The package transcript-viewer-ui-demo was found to contain malicious code...

MAL-2026-2803 Malicious code in tailwind-configuration (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60061f038f742f65f6876c278646b1b91d880677e6ba9dff2c87ea021f5b6aa9 The package tailwind-configuration was found to contain malicious code...

Malicious code in tailwind-configuration (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60061f038f742f65f6876c278646b1b91d880677e6ba9dff2c87ea021f5b6aa9 The package tailwind-configuration was found to contain malicious code...

Malicious code in synthetics-sdk-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f901ab2d37659ee8585c20804e368b185c14c0e5fc49e51a3148fb439b728bad The package synthetics-sdk-node was found to contain malicious code...