723 matches found
Malicious code in @nstrlabs/auth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 608be3457e7c809e60c1b76b9406489652f0ef708bfb97db2b6e0bb92b6836c2 On npm install, the package's preinstall hook node index.js || true, declared in package.json automatically collects host identifiers — os.hostname,...
Malicious code in @klapp-kyc/routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca32e3aa7685d93e36eca726e08096bd0c5ba425172ef254fdf769cc09b46887 On npm install, the package's preinstall hook executes node index.js, which collects the installer's hostname, OS username, current working directory...
MAL-2026-5407 Malicious code in @card-pci-data/store (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871 On npm install, the package's preinstall hook scripts.preinstall: node index.js || true runs index.js which collects host identity — os.hostname,...
MAL-2026-5411 Malicious code in @klapp-about/routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875 On npm install, the package's preinstall hook node index.js collects host and user identity data — os.hostname, os.userInfo.username, dirname,...
Malicious code in @klapp-login-platform/oidc (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6c2b86b9675d4d22e101f4f10f521cc36069ecebd1680d4c3ecfa0c04e8169da On npm install, the package executes node index.js via its preinstall hook. index.js collects the installer's hostname os.hostname, username...
MAL-2026-5414 Malicious code in @klapp-login-platform/oidc (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6c2b86b9675d4d22e101f4f10f521cc36069ecebd1680d4c3ecfa0c04e8169da On npm install, the package executes node index.js via its preinstall hook. index.js collects the installer's hostname os.hostname, username...
MAL-2026-5413 Malicious code in @klapp-login-platform/native-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b3bc8633d15b44abc90074d3362fd9399f53d10a88e24264caee9d924a72bb6 On npm install, the package's preinstall lifecycle hook runs node index.js, which collects installer-side identifiers — os.hostname,...
MAL-2026-5415 Malicious code in @klapp-login-platform/routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7 On npm install, the package's preinstall lifecycle hook executes index.js, which collects the installer's hostname, username, package install path...
IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks
Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively. According to JFrog, the information stealer...
Malicious code in arjson (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00290c05e0c41a8f51d38c629ade5b3fe76f2a89302db8daac669b0c80d13197 package.json declares "preinstall": "./.github/scripts/precheck", which on npm install executes a 976KB UPX-packed Linux ELF binary shipped under...
Malicious code in javascript-yaml (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75 This malicious package is part the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinsta...
MAL-2026-5189 Malicious code in arjson (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00290c05e0c41a8f51d38c629ade5b3fe76f2a89302db8daac669b0c80d13197 package.json declares "preinstall": "./.github/scripts/precheck", which on npm install executes a 976KB UPX-packed Linux ELF binary shipped under...
Malicious code in hbsig (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a...
MAL-2026-5191 Malicious code in wdb-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a...
MAL-2026-5192 Malicious code in weavedb-contracts (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a...
MAL-2026-5190 Malicious code in hbsig (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a...
Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
In this article 1. Attack chain overview 2. Mitigation and protection guidance 3. Learn more Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the @redhat-cloud-services npm scope. The...
Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma , has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. "This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of...
MAL-2026-5156 Malicious code in @telenor-se/core (npm)
Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...
MAL-2026-5157 Malicious code in @tse-digital/core (npm)
Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...