CVE-2026-45578 WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

Malicious code in @kruzer/lib-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f The published tarball's package.json contains a hardcoded npm registry auth token embedded in the build:publish script: npm publish --tag alpha...

Malicious code in cat-meta-stack-minify-try (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80dec973455eae025b75ae4a2fb66d3f693521c903c9ca3af246808867e0af65 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in bash-xml-transpile-good-catch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c110031cbd21ee061558e5100a9248d1164f381595f8ccb51846f7926733560 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in biotechnology-apollo-rollup-plugin-nodemon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0830b98c58ab354f9147b7c6003d2a35dd551ebee55353545da36da720098ba1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in zeta-lambda-info-view-star (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da545e17fa8329367bd0f54c706e74197c04a27ab0ae5698237ffe2b78dce9ef This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in async-css-minimizer-webpack-plugin-heka-redgiant (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 33b0f9fca81fca86a14b33c7bfac2d72987607fea039001a9568eff34c879063 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in nebula-lyra-astrophysics-backend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87731194882f0a9904a010dc5c887ceff5fea966c6f645da196e94537a27f879 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in easy-kernel-deserialize-public-await (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1c7f9693c4ee4fd27e0d30c8a5e7c70561a199ab73f1468b17ef1596d9c03dd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in eslint-config-nebula-magnetosphere-vuetify (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81e6dda4e6b8dd0db13ce9bb06eded94758780774f45b2f7146e5518fcfcc8cc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in xenobiology-electron-deneb-rimraf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95d8ef715a3d090ebad1f5c4179df9c012946cf224baf6da20e70544e333058f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in runtime-stack-awk-visualize-monitor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29f5a4b7134730bc0468b4baf98a46892732f059846e6f73260ec464ed7e041f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in paleobotany-warp-less-uranology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e503cf1f4b68ac4105f21495630d3b3ab9fa830d3e32df743899bc45a7467430 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in ganymede-meteor-equinox-iota (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf6caf727d2ca931162dc42199e8135f7c9bc25580dc02019ae90f6876bc9655 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in await-rate-limiter-ophiuchus-chai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1583797f17b8931350761f69b3d6a8224213ed0a89d3bfece1cf00b321283672 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cypress-procyon-neptune-epigenetics (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e2913afaa34955cc3427e4afa8d9aa00515de6fd22785137fec6b00482eac91 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in markdown-pdf-mdx-build-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ed5368d721e6688cca2df4ecc49dce2acefe3054c59f7825db20785e9cf725a1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in babel-init-changelog-algol (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23b614267da4f23f5f60e5cd915efdd20c67963924c7f06564b4892edd649555 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cross-env-atlas-non-blocking-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c136167139e7da8f2dfa597abcb7ee932a4d5968c1f94382ea87cc5b9e43128d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in webdriver-manager-stratosphere-stratigraphy-stop (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0934643185b5cbcc16307cc870692bbaf0a0c6ef0085d73916acdc478aa082fa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...