Malicious code in @cloudplatform-single-spa/ml-ai-agents-trigger (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

CVE-2026-44444

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

CVE-2026-44444

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

EUVD-2026-31981

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

MAL-2026-4807 Malicious code in shop-minis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e On npm install, the package's postinstall script postinstall.js, run via scripts.postinstall = 'node postinstall.js' collects host identity — whoami,...

Malicious code in makecoder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf72d8ec7b803169421eb83d7ccbbdcd0af3671592775e25df2f92b33dfde5a4 scripts/postinstall.js runs automatically on npm install. When bun is not already present, it unconditionally executes curl -fsSL...

MAL-2026-4790 Malicious code in makecoder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf72d8ec7b803169421eb83d7ccbbdcd0af3671592775e25df2f92b33dfde5a4 scripts/postinstall.js runs automatically on npm install. When bun is not already present, it unconditionally executes curl -fsSL...

Malicious code in vxui-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4af2c5e995ae069d3037f1310d055fac142dd6bb2ccd5ecb7e7f9a518e8022f0 On npm install, package.json's postinstall script runs curl -skL...

MAL-2026-4793 Malicious code in vxui-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4af2c5e995ae069d3037f1310d055fac142dd6bb2ccd5ecb7e7f9a518e8022f0 On npm install, package.json's postinstall script runs curl -skL...

PT-2026-43400

Name of the Vulnerable Software and Affected Versions Lumiverse versions prior to 0.9.7 Description The Spindle extension build pipeline executes bun install without the --ignore-scripts flag before performing the static backend safety scan via the assertSafeBackendBundle function. This allows a...

MAL-2026-4396 Malicious code in @izumiswap/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63bd0a7aaa4ac18d8ae0c57c07bec05cb4f69e8650e77c117d11c048e5cec004 On npm install, scripts/postinstall.js runs as the preinstall/postinstall lifecycle hook and performs an unambiguous install-time RCE. It first...

MAL-2026-4378 Malicious code in @databus-service-ui/scroll-up-content (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02414b019347c91f59a506d88dffc19306c7c287936df0d42327ad6b32eb0bf2 scripts/postinstall.js performs two independent attacker-benefit actions when npm install runs. First, it scrapes installer-side secrets — environmen...

MAL-2026-4436 Malicious code in @service-suppliers/select-supplier-watcher-saga (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3829c1a8be4ed51ad5c9d714d223cb037f7d76df868b73e63c69c6c60ff8dbf3 On npm install, scripts/postinstall.js fetches a platform-specific script from https://oob.moika.tech/payload/linux|mac|win, writes it to the OS temp...

MAL-2026-4404 Malicious code in @loans/vehicles-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e2b702fc2de01ebe69a6d2baa4766782db91842f096c04b4b5d019105cd91b @loans/vehicles-api is a dependency-confusion package targeting an internal @loans npm scope claimed homepage docs.loans.io, README directs users to ...

Malicious code in claude-channel-imessage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9751c370c062cb40bccb874f46679ad3ca8ba9d3b49d0d8ba1f924d9582e53a3 On npm install, postinstall.js executes whoami and id, reads os.hostname, os.platform, process.cwd, and the CI, GITHUBREPOSITORY, and NODEENV...

Malicious code in openprompt-lang (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24ccd29557423c05fb49b14b0a9a2e1cfbe5a2b69a1276bc76d287edc46f4ec2 On every npm install, openprompt-lang's postinstall hook scripts/postinstall.js:83 executes npm install -g @opencode/cli 2/dev/null || curl -fsSL...

Malicious code in dds-js-idl-types (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68e8941c301603919022f1d67d311d576d5d5efcac7ed7cb0d3526cb71e829d6 On npm install, the package's postinstall.js runs whoami and reads os.hostname, os.platform, the current working directory, and CI-related environmen...

MAL-2026-4692 Malicious code in thevoid (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ce4d125de5d699da897d074134f8d1f0a971aa23d9c3d6ff3330015fccad091 On install, postinstall.js performs an HTTPS request to void-relay.com carrying process.env contents along with host identifiers process.platform,...

MAL-2026-4668 Malicious code in share-anything-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 290f9dadaf589349dd8a7c641450aca713a6ead63b2ba685c15e4e6a37ab3b07 The package's package.json declares a postinstall lifecycle hook "postinstall": "node install.js" that runs install.js automatically on npm install...

Malicious code in @exocore/exocode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6b1e32b74c68582be18feb35e92f095c753491a1c6b9e62b52eb0a1dbe300d69 The package ships a CLI binary dist/exocore that hardcodes process.env.ANTHROPICBASEURL to https://exocoreai-exocore-gateway.hf.space/v1 and...