CVE-2026-45578 WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

Malicious code in @kruzer/lib-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f The published tarball's package.json contains a hardcoded npm registry auth token embedded in the build:publish script: npm publish --tag alpha...

Malicious code in sudo-reject-mu-proxy-fork (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71bd21ebc82601b1500c1ec0b38beaf261822f483579359312b433a31d3a139a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in docusaurus-callback-abiogenesis-mesosphere (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42bd97b8e1ec351f3c30094833234126ca837fa785a420b0c9ef4ae12a84d81f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in hologram-jekyll-radiometric-bellatrix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 34423c93c7a5b13e9f1e0d5bd862054c215574cb60b2d0c3c0fc097a038bc7d9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in biohacking-membrane-json-convict (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eeb527aa78665f5e5cc9a4e92a1b7eb37e1816710216afb380826349014866df This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in async-css-minimizer-webpack-plugin-heka-redgiant (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 33b0f9fca81fca86a14b33c7bfac2d72987607fea039001a9568eff34c879063 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in webdriver-manager-stratosphere-stratigraphy-stop (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0934643185b5cbcc16307cc870692bbaf0a0c6ef0085d73916acdc478aa082fa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cat-meta-stack-minify-try (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80dec973455eae025b75ae4a2fb66d3f693521c903c9ca3af246808867e0af65 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in astrochemistry-selenium-solis-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 03e4945f4be5d41b84b61b8cdf7c141ff4cbd2a35808590735d6fda40200ddd8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in float-beta-deploy-star-meta (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c28ea191cc624187c918a5e511152ef7fdd4e559f69dd061a432e823a1547cb This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in perseus-lyra-css-minimizer-webpack-plugin-loop (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f7d3d9b81812427d006a9d83aedc8ab35ae99c772c8d05c7007ddb3d17c3f8c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in darkenergy-janus-firebase-chalk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 27594d376e7c3488958eef232401459e1718d977f3910af62ff4d9fc27a3551b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in ganymede-meteor-equinox-iota (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf6caf727d2ca931162dc42199e8135f7c9bc25580dc02019ae90f6876bc9655 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in adonis-prettier-stylelint-ignite-magellan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52c2dee72f106188a0ff5e17a762bbdb0c03f1132107e86b7618d5761be4e285 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in paleobotany-warp-less-uranology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e503cf1f4b68ac4105f21495630d3b3ab9fa830d3e32df743899bc45a7467430 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in quark-dotenv-safe-run-script-planckscale (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a4a6e17931e4aaa6fd168c9dd241a0af9cc5a149837770053fa39c03d71da231 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in lithosphere-browserify-express-spectron (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fdc8dd182e784cfc7505a87b79d3bb63e3889f3079e330bce2c95ac7d3a6778 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in subscription-nightmare-nightmare-webdriver-manager (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a7cc33633fdcb71ad9cde74bf5f286e45a3fc893122e6cba8a51fd7ffdfec5a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in publish-magellan-magnetosphere-paleomagnetism (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4fee2dc3ceeab278bb8c4c5fa3312ad51340599245bcdf8b5de8eeb28e8d9bce This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...