Malicious code in @oplus/obus-web-sdk-plugin-recovery (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7435b09e6ec064fe7ff0738becd8dd3445f1a73e97427a8fb9285460bd4f723 @oplus/[email protected] publishes to a likely-private internal scope at an artificially high version to win resolution against a...

MAL-2026-4967 Malicious code in @cloudplatform-single-spa/security-groups (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @car-loans/show-car-year-module (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP packages belonging to Laravel-Lang to deliver a comprehensive credential-stealing framework. The affected packages include - laravel-lang/lang laravel-lang/http-statuses...

Malicious code in chai-as-tuned (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7e00f81e117716cfd7fd3565cf8b04073cd494a6da2c23749669133806a7473 Package name chai-as-tuned impersonates chai-as-promised and ships a README copy-pasted from the unrelated pino project npm/CI badges point at...

Malicious code in @qwedqwed/axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 119efce3cb464ef8c7b605ec49768619ac9ef49b9981d4b0a530ff1829194b8c @qwedqwed/axios republishes the legitimate axios source verbatim under an unrelated scope, copies the original author metadata Matt Zabriskie for...

Malicious code in @antv/chart-node-g6 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4094 Malicious code in @antv/vis-predict-engine (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/g2-extension-ava (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

MAL-2026-3650 Malicious code in microsoft-applicationinsights-common (npm)

Two malicious npm packages published by the micresoft account typosquatting "microsoft" are part of a coordinated supply chain attack sharing identical infrastructure with packages published by the superbase account. Each package bundles a 4.5 MB statically-linked, UPX-packed ELF binary at...

MAL-2026-2269 Malicious code in claude-lite (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3a73f0745200bef9d517a2ac5e3e69189347e0b730a0187e71c3c201accd5833 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

MAL-2025-188349 Malicious code in notify-string-deploy-file-private (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 261bf5701f54f586ce80f4a7f1529d9420634df6bbed2f132ab18fb20a29fa54 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-185027 Malicious code in sonic-kos-fgiafao (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8272ddaf144809d894182063c1348b143529b10c241b2ad070cf5805fc689fca This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-184092 Malicious code in mlokok-lfki-hakumajiausubi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b7acca2e524d32626d2fc84ea7b162a842d20f4683996132407e7a05c6e59af6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in baso89 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08531dd6386f4b370db1bfa2bbb50da4539c83cb1d4d2686b7a729bbc4109195 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in kapvino-soni-favavraia (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e61ad79fbc01e8c3f050333f4c498becf893502ce8bb75eeb6f7de8d9511192c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-176883 Malicious code in nuragi-sutafia-dagiug (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2b8f6d968dcfa45e30a31c086fd25798f3a57123f840bcdc4681c74195dfa8f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...