Malicious code in react-spa-shadcn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7b0a6436d822911c9ab59cb73cdf9c25c0dfa562feb406fcfa450ad964418f89 The package react-spa-shadcn was found to contain malicious code. Source: ghsa-malware da9de249511ac32f8d560921d4da27724c126e29260a8fb7c4acb1da70c6b7...

Malicious code in pa-marked (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e01d64e50dea2a8be10707dbd49869a6bcea570bf26829a1738ca2237882249 The package pa-marked was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2932 Malicious code in sy-editor-v3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cbd7c2056a09f76b9e73fbd0dae4370df9df455077146ae85b6b985b0394d4f The package sy-editor-v3 was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @ataslkit/profilecard (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8efe1bf5f3d6ed3259b1ef3d48d73c3fd6368a50097725968869b551e73f828a The package @ataslkit/profilecard was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2924 Malicious code in cktool.core.internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95da3751f8d8f63d46e480fc465291ffa814ac0294663c1d3d62d6b4b40df73c The package cktool.core.internal was found to contain malicious code. Source: ghsa-malware...

Malicious code in cktool.api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b28b7eb696757e668aa67a3d187943f553dce7298e27f7b47cb90022034ac9ba The package cktool.api was found to contain malicious code. Source: ghsa-malware d228f217a2a065caaf43db67d6cc7dc3c842a2bc821523c33e11456a1a7c0d4e Any...

MAL-2026-2922 Malicious code in cktool.api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b28b7eb696757e668aa67a3d187943f553dce7298e27f7b47cb90022034ac9ba The package cktool.api was found to contain malicious code. Source: ghsa-malware d228f217a2a065caaf43db67d6cc7dc3c842a2bc821523c33e11456a1a7c0d4e Any...

Malicious code in cktool.internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d35ec7e83cb03e16d3d408e617ad1c8a72dae84f6b8655f5439b1e5465e47fc The package cktool.internal was found to contain malicious code. Source: ghsa-malware fea6b6dafa01114874236a50b5923473307ac91ce0b6c562d3ccb2fa27e6af4...

MAL-2026-2918 Malicious code in apple-cloudkit-internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1cfcd7e5376478b86db5942e2492ae0763bad14dda004c55988edf420f5e62ce The package apple-cloudkit-internal was found to contain malicious code. Source: ghsa-malware...

Malicious code in ac-sasskit-internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c88124eb460a9e33e146185720f25d78918a3b360c1e41d55889b0b392f7ef5f The package ac-sasskit-internal was found to contain malicious code. Source: ghsa-malware...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +13 more potentially affected by CVE-2026-43530 via openclaw (>=2026.3.22 <=2026.4.11)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-43530 Source advisory: SNYK:JS-OPENCLAW-16109736...

GHSA-736R-JWJ6-4W23 OpenClaw: Sandboxed agents could escape exec routing via host=node override

Summary Sandboxed agents could escape exec routing via host=node override. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 = 2026.4.10 Impact A sandboxed agent could request host: "node" and route exec to a remote node instead of the intended...

OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins

Summary Workspace provider auth choices could auto-enable untrusted provider plugins. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.9 Impact Non-interactive onboarding could select a provider auth choice shadowed by an untrusted workspace plugin,...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +14 more potentially affected by CVE-2026-43526 via openclaw (>=0.0.1 <=2026.4.11)

openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 and more Source cves: CVE-2026-43526 Source advisory: OSV:GHSA-2767-2Q9V-9326...

OpenClaw: Empty approver lists could grant explicit approval authorization

Summary Empty approver lists could grant explicit approval authorization. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.12 Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization,...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +13 more potentially affected by CVE-2026-43584 via openclaw (>=0.0.1 <=2026.4.1)

openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =3.3.2, =3.3.7 Source cves: CVE-2026-43584 Source advisory: OSV:GHSA-VFP4-8X56-J7C5...

Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Executive Summary This report documents a critical security research finding in the compressing npm package specifically tested on the latest v2.1.0. The core vulnerability is a Partial Fix Bypass of CVE-2026-24884. The current patch relies on a purely logical string validation within the...

Malicious code in material-ui-plugin-cache-endpoint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45efd49ad74d002b46224881218cf53c763e58c0b71ed3d3ff3a79d1021f3a64 The package material-ui-plugin-cache-endpoint was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2926 Malicious code in material-ui-plugin-cache-endpoint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45efd49ad74d002b46224881218cf53c763e58c0b71ed3d3ff3a79d1021f3a64 The package material-ui-plugin-cache-endpoint was found to contain malicious code. Source: ghsa-malware...

Malicious code in value-slider (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector abf877173b9292185a66f77e03a35a1964c716f9cc053cd68cfd66fa005843fa The package value-slider was found to contain malicious code. Source: ghsa-malware cf716f2e826f45d1313d19d4691315d634d3199be557367c4346af4481aec65c A...