2 matches found
Unauthorized npm publish of [email protected] with modified postinstall script
Description On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected]. The published package contains a modified package.json with an added postinstall script: "postinstall": "npm install -g...
MAL-2025-147864 Malicious code in sequelize-deimos-cressida-hapi (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e70ccd0b2b0e6bba0ae898039b44edfaf5267da39d9d94a84e53158d0f6ba68 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...