A week in security (March 30 – April 5)

Last week on Malwarebytes Labs: That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords Blocking children from social media is a badly executed good idea Apple expands "DarkSword" patches to iOS 18.7.7 Malwarebytes Privacy VPN receives full third-party audit Wikipedia’s AI...

MAL-2026-2496 Malicious code in chess-sec-ssrf1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25205345915fdf089bcbd90b35f9e852c02281bd7452805479d18c610063ac52 The package chess-sec-ssrf1 was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2495 Malicious code in cloudera (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11ddf3c5a1eb28ca1531748670bd932bda38d78b04ae81c983361465a2076f57 The package cloudera was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @needl-ai/common (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1b98ae2755d0fd7d61bc3dfd378dc1bad2eadf7ef0033ba66bbf1383a711e5c The package @needl-ai/common was found to contain malicious code. Source: ossf-package-analysis...

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package...

MAL-2026-2474 Malicious code in strapi-plugin-nordica-deep (npm)

strapi-plugin-nordica-deep is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...

Malicious code in strapi-plugin-core (npm)

strapi-plugin-core is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...

MAL-2026-2460 Malicious code in strapi-plugin-events (npm)

[email protected] is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +12 more potentially affected by CVE-2026-41341 via openclaw (>=2026.3.22 <=2026.3.28)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-41341 Source advisory: SNYK:JS-OPENCLAW-15893694...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +12 more potentially affected by CVE-2026-41378 via openclaw (>=2026.3.22 <=2026.3.28)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-41378 Source advisory: SNYK:JS-OPENCLAW-15894771...

Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads

A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks...

GHSA-MHGQ-XPFQ-6R66 OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes

Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITESCOPE, but impact should stay limited to plugin routes that actually tou...

Axios npm Supply Chain Incident Impacting @usebruno/cli

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

MAL-2026-2439 Malicious code in expeewas (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcb3aafc860058ba4e9a64c6fa7dba85b7df72d68971ef7c673245e4ac02820f The package expeewas was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in expeewas (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcb3aafc860058ba4e9a64c6fa7dba85b7df72d68971ef7c673245e4ac02820f The package expeewas was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2441 Malicious code in expirs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 86105842d926ee95e61ae8adf0d4506cbc55c9510189208ee33d511806f2c5ef The package expirs was found to contain malicious code. Source: ossf-package-analysis d82cf6807fa6c011a17d3f4e8bf8af1e3e935a3d79ab1420356fd87d3f2567d...

Malicious code in exszpe3szs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67f15551a64777edf23687b4e056220380ac9501b76e432e33f9d93f5aecf2d3 The package exszpe3szs was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2435 Malicious code in 4xperss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6de1a8af1dbe21de2e06785a6a5e41a438f356fe440c8b121b808975ef95f5fe The package 4xperss was found to contain malicious code. Source: ossf-package-analysis d8cb27dbe58e29571ce6b777903222af9497b79676e8301021d03f159c5d77...

MAL-2026-2434 Malicious code in 4exepreds (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 713fcab117c3d896c25c79498daded14d2b7d69baecb99c233703f421caaca26 The package 4exepreds was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in 4exepreds (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 713fcab117c3d896c25c79498daded14d2b7d69baecb99c233703f421caaca26 The package 4exepreds was found to contain malicious code. Source: ossf-package-analysis...