MAL-2026-4702 Malicious code in vestibulect (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82da0f0bb40f42e69defbea694db093f2ad880c8c094508f61e2d7fe58550e2e package.json declares a postinstall hook "postinstall": "node install.js" which executes install.js automatically on npm install. install.js imports ...

MAL-2026-4394 Malicious code in @ikyyofc/gemini-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6 @ikyyofc/[email protected] ships two heavily obfuscated modules src/gemini.js and src/utils/proxy.js wrapped in an obfuscator.io-style string-array +...

MAL-2026-4464 Malicious code in @vtmn-play/react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145 Package name @vtmn-play/react mimics Decathlon's Vitamin design system @vtmn/react and is published at version 99.9.1, the canonical...

MAL-2026-4534 Malicious code in color-style-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087 On npm install, all three lifecycle hooks preinstall, install, postinstall execute postinstall.js, which harvests installer secrets and exfiltrates...

Malicious code in color-style-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087 On npm install, all three lifecycle hooks preinstall, install, postinstall execute postinstall.js, which harvests installer secrets and exfiltrates...

MAL-2026-4389 Malicious code in @flipbit2-bb/test-auth-state (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63 On npm install, a postinstall script phone-home.js collects os.hostname, os.userInfo.username, process.platform + os.release, a timestamp, and a...

Malicious code in polymarket-clob-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec The package is published as polymarket-clob-client, an unscoped lookalike of the legitimate @polymarket/clob-client maintained by Polymarket, but the...

Malicious code in @shinzepelly/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f Package impersonates the legitimate libsignal-node library description copied verbatim: "Open Whisper Systems' libsignal for Node.js" under an...

MAL-2026-4452 Malicious code in @tailwind-core/webpack (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3 Package @tailwind-core/webpack impersonates the legitimate Tailwind v4 webpack loader @tailwindcss/webpack. The README copies Tailwind Labs branding ...

Malicious code in @solarcraft/observix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require'./logger' purely for its...

Malicious code in truffle-config-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2204d3386cd8473771610640812df94a0c65c5482027bd7a59282398d38e73db On npm install, the package's postinstall hook package.json line 13 issues an HTTPS GET to...

MAL-2026-4249 Malicious code in truffle-config-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2204d3386cd8473771610640812df94a0c65c5482027bd7a59282398d38e73db On npm install, the package's postinstall hook package.json line 13 issues an HTTPS GET to...

Malicious code in customerdigital-ui-containers-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a314a5b253dcb30b2781bda216266b7ab1b49b62eec416bd9be07b48ab46a348 On npm install, postinstall.js collects git identity, OS user/uid, hostname, internal network interface addresses, Cloudflare Pages environment...

Malicious code in etherjs-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 335b4f699510e2bb1171a9137655f6977d5554f508e612eab97b4239c1249be1 package.json declares a postinstall script that performs an HTTPS GET to an ephemeral pinggy-free.link tunnel URL...

MAL-2026-4407 Malicious code in @mcpassure/mcp-cnes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 243d5ff1424c2d147ee05781c1889b007eb30e22a190bf6dc3973b676ea697a7 dist/bootstrap.js performs a fetch against https://pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev, an anonymous Cloudflare R2 bucket with no publisher...

MAL-2026-4233 Malicious code in chainlink-price-feed-aggregator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 557bc05b86e81155a6305c13693641f32ca21520bac827af82b2a785f4f669d4 Package name impersonates Chainlink branding while being published by an unrelated identity author 'Web3 Developer Tools ', repo github.com/web3/...

EUVD-2026-30991

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1...

MAL-2026-4243 Malicious code in ganache-cli-provider (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 144bbaf975156b3114f5526a7e9a8ffbe8eb411a541c7e457b7bf444200a02c5 Package name impersonates the widely-used ganache-cli Ethereum development tool but ships only a 138-byte index.js stub that wraps...

CVE-2026-39309

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

Malicious code in ethers-multicall-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe5e969b4ca41dbbd6ef1c04c12d48906ea4477b39493e766045effd4939d748 On npm install, the package's postinstall script spawns node -e to run an inline childprocess.execSync that curls a binary from...