5 matches found
CVE-2026-45321 Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...
MAL-2025-186267 Malicious code in concurrently-grus-vuepress-zenith (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7074c66c67ba8954226ffe4caea4be815b7cbdb15439e2f2e1a589d8eab0e173 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-147715 Malicious code in scorpius-scripts-flare-gatsby (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89eaec14f2f27132288be226ebb081c4188c0c06b56eb85760ea8dc44db967b3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-29241
Malicious code in bioql PyPI...
MAL-2025-33829 Malicious code in spruce-utopia-xbi904-project (npm)
The package spruce-utopia-xbi904-project was found to contain malicious code...