Malicious code in @squawk/weather (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 72341a088009d96497c994e0a076b60b00bf65b365831ef16abe360f5c6cf874 The package @squawk/weather was found to contain malicious code. Source: ghsa-malware 71445d30bdef8256424a60e0abf2f5e2ce43b8c7dffa1476bd2ee7001013720...

MAL-2026-3502 Malicious code in cross-stitch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bfe06155444d60d3774a256051b31f6a4814f484f33830cbe61eec7ebe611be6 The package cross-stitch was found to contain malicious code. Source: ghsa-malware 7c23bb77e762be76915e8202d11074aaa122efe0a8a32e403fa00ee8563c9bbe A...

MAL-2026-3488 Malicious code in @tanstack/start-fn-stubs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e25d3624c39cfe3dae76a5630525e72d3f0fe2f8eb1bbb44a0ff17c3a39d4fe2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3495 Malicious code in @tanstack/vue-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 23dd073c586a2dad28ee9957fd8a3059bcbb261fbbb6a17e3b99a7145158ef8d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3476 Malicious code in @tanstack/router-generator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e1a01dce92fa9c8e2cf4d6107c13ae7ebadbf664d1b135b7075f050c32446b26 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3473 Malicious code in @tanstack/router-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bbe10ec33a8ef57cbee1293be08884f598f604cc51b69f3eed2d17217efd462d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/react-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8358ce998650baf1a9cb6bb602109da81268c43855ad0b16f892687cc89f104d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/react-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b329cb477cc0d977f9e8e6df59072ea002d6d041b99531596fbd87b8ff80aefd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/arktype-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00740c1707de87fdde677d596049a754c3269e6b54875d76eb4934a1368b7112 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

@squawk/mcp (>=0.2.0 <=0.9.0) potentially affected by unknown CVE via @squawk/airspace (>=0.4.1 <=0.8.0)

@squawk/airspace NPM version =0.4.1, =0.2.0, =0.9.0 Source cves: unknown CVE Source advisory: SNYK:JS-SQUAWKAIRSPACE-16640892...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

MAL-2026-3508 Malicious code in crypto-javascri (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f73f5a262aba7ba05c713d409646e419e998232fd536fd99c51750fa070699 The package crypto-javascri was found to contain malicious code. Source: google-open-source-security...

MAL-2026-3507 Malicious code in @mimecast-ui/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e59a7d55636b02d0a28954889c22f021de5b4f33c525ce7712706df60cd9af3 The package @mimecast-ui/components was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @mimecast-ui/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e59a7d55636b02d0a28954889c22f021de5b4f33c525ce7712706df60cd9af3 The package @mimecast-ui/components was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @mimecast-ui/charts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e603deff481f2fdd492adde6f7d1f060fa7aa7d15f63abc4cc43fa7782409705 The package @mimecast-ui/charts was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-3427 Malicious code in @cplace-workflow-fe/cf-workflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa219c5fdaf0ec8e6e0467fb1f23bfde9a07c18276187464062943e612848781 The package @cplace-workflow-fe/cf-workflow was found to contain malicious code. Source: ghsa-malware...

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components discovered by ? in WordPress Npm react-server-dom-turbopack versions = 19.0.0, 19.0.6...

Malicious code in byvendors (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d3ae01e4f5473c61cf7c26fdf51f64fa34c7f16451ce6c093a52fd85b79eff5 The package byvendors was found to contain malicious code. Source: ossf-package-analysis...