MAL-2026-4280 Malicious code in node-setup-helpers (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

MAL-2026-4275 Malicious code in async-pipeline-builder (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

MAL-2026-4276 Malicious code in build-scripts-utils (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

Malicious code in chai-as-repaired (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 949b90bd3c157955d029f9ea08bc32aea893e452c4ded78df98b80c1b831be76 Package name 'chai-as-repaired' is a 1-edit typosquat of the popular 'chai-as-promised' chai plugin 1M weekly downloads. The published code is...

Malicious code in clickpy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dd3b0787797fa520a5583fd5f14b83ec1b4606c0c45051e30ef312869c148f01 On require'clickpy', index.js collects host metadata via os.hostname, os.userInfo, os.platform, os.arch, process.cwd, process.pid, and the current...

MAL-2026-4270 Malicious code in clickpy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dd3b0787797fa520a5583fd5f14b83ec1b4606c0c45051e30ef312869c148f01 On require'clickpy', index.js collects host metadata via os.hostname, os.userInfo, os.platform, os.arch, process.cwd, process.pid, and the current...

Malicious code in @engagehub/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcc397ed87426726776c339f950939ac2da46c12edd018ed4bc48031f7044094 All three lifecycle hooks preinstall, install, postinstall in package.json invoke node telemetry.js, so the payload fires unconditionally on npm...

GHSA-JXXR-4GWJ-5JF2 vulnerabilities

Vulnerabilities for packages: prism, pulumi, npm, vitess, lerna, opensearch-dashboards, langfuse, renovate, tileserver-gl...

MAL-2026-4556 Malicious code in express-enrouten-async (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e Package name mimics the legitimate express-enrouten route-discovery library, but the shipped index.js only hardcodes two demo routes rather than...

Malicious code in express-enrouten-async (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e Package name mimics the legitimate express-enrouten route-discovery library, but the shipped index.js only hardcodes two demo routes rather than...

Malicious code in mmt-static (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 755d0176c106903bf2baaf14d0bb4df611bb719c2a7b0615e9b4487eadee1300 On npm install, the package's preinstall lifecycle hook executes node index.js && curl --data-urlencode "info=$hostname && whoami"...

Malicious code in rapyd-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60 Package self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd's...

MAL-2026-4658 Malicious code in rapyd-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60 Package self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd's...

Malicious code in thevoid (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ce4d125de5d699da897d074134f8d1f0a971aa23d9c3d6ff3330015fccad091 On install, postinstall.js performs an HTTPS request to void-relay.com carrying process.env contents along with host identifiers process.platform,...

MAL-2026-4345 Malicious code in eo-terminal (npm)

Part of a multi-package malicious campaign by npm author toskypi, eo-terminal is a fully-featured infostealer and remote access trojan RAT disguised as "terminal changelog logger utilities." The package README describes a completely different package terminal-logger-utils, indicating a...

Malicious code in @citi-icg-171632/citicms-repo-component (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 88e5400167d9962139f78098013ac4e5eadeeaa76b8916ba246c5f6b2093f508 The OpenSSF Package Analysis project identified '@citi-icg-171632/citicms-repo-component' @ 99.9.1 npm as malicious. It is considered malicious...

Malicious code in share-anything-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 290f9dadaf589349dd8a7c641450aca713a6ead63b2ba685c15e4e6a37ab3b07 The package's package.json declares a postinstall lifecycle hook "postinstall": "node install.js" that runs install.js automatically on npm install...

OESA-2026-2417 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: In the Linux kernel, the following vulnerability has been resolved:mm/mempolicy: fix migratetonode assuming there is at least one VMA in a MMWe currently assume that there is at least one VMA in a MM, which isn ttrue.So we might...

Malicious code in cdk-sagemaker-notebook-workflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6cc9c1db01ca14b294be21438478ec14dc6549a4b7b9ec5cf73dd7aa227f7ad8 The package declares a preinstall hook node index.js in package.json that fires automatically on npm install. The script collects os.hostname,...

Malicious code in @tmecontinue/claude (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0813d6ca6de1573ab8f99aae08444e589f4c5751931e4b18812140f720b74239 Package self-describes as a 'Reverse-engineered Anthropic Claude Code CLI' and impersonates the legitimate @anthropic-ai/claude-code bin name...