Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4222 Malicious code in chai-as-afforded (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d40560dbe3485657e0bf84ae14fb2447ca17ec244adcaf5d2ecd14a1753697d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4738 Malicious code in zest-product (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9081ad708b658c1bd56299e401ca6a764cc9137d99573bc922d38a7381cc30d On npm install, postinstall.js collects host identity and environment data os.hostname, username, process.cwd, process.env values, plus shelled-out...

MAL-2026-4620 Malicious code in nikou-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d4634b70c99dd84c499d573350a00e86b09e8caaf34786d60b118ce12c64b426 utils/BotClient.js hardcodes a Feishu/Lark appId clia88b12e0b9b51013 and appSecret aBRv7CbiWuL7csrMavfLvc5sMW5B4Ky7 as default constructor values,...

Malicious code in http-uploader-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b package.json declares "preinstall": "bun run index.js", which on npm install invokes Bun to run index.js. index.js detects the host OS and shells out...

MAL-2026-4361 Malicious code in @amswf/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...

Malicious code in @amswf/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...

Malicious code in cerebrum-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d On npm install, the package's postinstall hook runs setup.js, which decodes an embedded base64 string into a tar.gz file at ../../../tempbundle.tar.g...

Malicious code in @gad360/apothem (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4f5e509ba6aa2f781391f03ff37ea8005440c1d1106391bdfa91abae06336ad3 The package's package.json declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js...

MAL-2026-4391 Malicious code in @gad360/apothem (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4f5e509ba6aa2f781391f03ff37ea8005440c1d1106391bdfa91abae06336ad3 The package's package.json declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js...

MAL-2026-4205 Malicious code in defi-threat-scanner (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

Malicious code in wallet-security-checker (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

Malicious code in claude-internal-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24a94a290c15f2b6cdaf351590455cd597bb2881f7bbcf1609fbfbd8031e491f Package name impersonates an internal Anthropic 'claude-' namespace and the description field self-identifies as 'Alex Birsan Style'...

Malicious code in deployment-key-auditor (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

Malicious code in chain-async-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6 chain-async-test impersonates the legitimate chain-async library copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; t...

Malicious code in bolt-delivery-menu-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cc39247db76b4edd80084e400324518739f141dafda621d368c3e5a9ac41f791 Package executes a DNS-based beacon at both install time package.json scripts.install runs node index.js and on every require of the module...

MAL-2026-4360 Malicious code in @aledan007/tester (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab03e3eef2f59f358cdaacedf2d9facb12077110c5402ad36aad6e3581e66439 The bundled server file dist/server/index.js contains a hardcoded reference to the attacker-controlled domain https://evil.attacker-example.com...

Malicious code in iv-stubborn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b8934157781e3457974f0609c54f14503424c9077b316f2e8e843e454989922 On npm install, both preinstall and postinstall lifecycle hooks execute index.js, which collects the installer's hostname, all non-internal network...

Malicious code in iv-bloomfilter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e7f2a3b58036e1174efe383ee906172b07f9ddc3410d913e51b4e614f9ff09ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview iv-stubborn is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...