Malicious code in @databus-service-ui/scroll-up-content (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02414b019347c91f59a506d88dffc19306c7c287936df0d42327ad6b32eb0bf2 scripts/postinstall.js performs two independent attacker-benefit actions when npm install runs. First, it scrapes installer-side secrets — environmen...

Malicious code in @service-user-notifications/set_notifications_not_removable (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a890f1cd8313de802c1425ca5603b7d1fabaf84cb1e47b582a4633dae34ccf14 On npm install, scripts/postinstall.js fetches a platform-specific binary from https://oob.moika.tech/payload/linux|mac|win, writes it to a hidden te...

MAL-2026-4420 Malicious code in @polka-ui/loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f93cf8dde7e6a1252424fc82f38e8502a37d9e427d92d412fd8944c91b8ee5a4 On npm install, scripts/postinstall.js downloads a per-OS payload from https://oob.moika.tech/payload/linux|mac|win, writes it to /tmp/.polka-uiinit....

MAL-2026-3180 Malicious code in nicegui (npm)

Malicious npm package published by threat actor "ryanmccollum1" typosquatting the popular Python NiceGUI framework. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...

Malicious code in apple-coredata-internal-service (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...

MAL-2026-2830 Malicious code in renovate-config-doctolib (npm)

Malicious package due to data exfiltration via preinstall script, reading .npmrc, and sending data to a remote server. Few published versions. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector afc7e33b7c6ea9379f973a56f94e3b8ed59f0bc746733efa7dadba31141d0cd9 The...

Malicious code in renovate-config-doctolib (npm)

Malicious package due to data exfiltration via preinstall script, reading .npmrc, and sending data to a remote server. Few published versions. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector afc7e33b7c6ea9379f973a56f94e3b8ed59f0bc746733efa7dadba31141d0cd9 The...

CVE-2026-35641 OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation

OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can...

EUVD-2026-21436

OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.24 contained security vulnerabilities. These vulnerabilities stemmed from arbitrary code execution vulnerabilities during the installation of local plugins and hooks. Attackers...

GHSA-M3MH-3MPG-37HW OpenClaw has an Arbitrary Malicious Code Execution Vulnerability

Fixed in OpenClaw 2026.3.24, the current shipping release. Summary During the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation. Details Please note that the source code...

OpenClaw has an Arbitrary Malicious Code Execution Vulnerability

Fixed in OpenClaw 2026.3.24, the current shipping release. Summary During the installation phase of OpenClaw local plugins/hooks, the Git executable can be hijacked by a project-level .npmrc file, leading to arbitrary code execution during installation. Details Please note that the source code...

Malicious Package

Overview syntax-do-expressions is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior Th...

Malicious Package

Overview prefer-let is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The package...

Malicious Package

Overview transform-undefined-to-void is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious...

Malicious Package

Overview modules-umd-systemjs is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...

Malicious Package

Overview transform-for-of is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...

Malicious Package

Overview syntax-export-extensions is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

Malicious Package

Overview jsx-dev-runtime is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...

Malicious Package

Overview transform-es2015-parameters is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious...