Malicious code in @voiceflow/stitches-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06695269b63d5e1d5d67fbf2ec3e8ba8a46439f10a30ca584e674ad93dbf53f1 The package @voiceflow/stitches-react was found to contain malicious code. Source: ghsa-malware...

Malicious code in @voiceflow/react-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7450440b7c3368ef719fcfa9511d7984fc38ed8b5279f4e49f414f588446915e The package @voiceflow/react-chat was found to contain malicious code. Source: ghsa-malware...

@voiceflow/react-chat (>=1.59.4 <=2.62.4), @voiceflow/sdk-runtime (>=1.18.1 <=1.29.0-alpha.1) potentially affected by unknown CVE via @voiceflow/dtos-interact (>=1.10.0 <=1.26.0)

@voiceflow/dtos-interact NPM version =1.10.0, =1.59.4, =1.18.1, =1.29.0-alpha.1 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191343...

EUVD-2025-199395

Malicious code in @voiceflow/react-chat npm...

@voiceflow/widget (>=1.0.3 <=1.7.13) potentially affected by unknown CVE via @voiceflow/react-chat (>=1.0.3 <=1.47.4)

@voiceflow/react-chat NPM version =1.0.3, =1.0.3, =1.7.13 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191367...

@voiceflow/react-chat (>=1.0.0 <=2.62.4) potentially affected by unknown CVE via @voiceflow/sdk-runtime (>=1.10.0 <=1.3.4)

@voiceflow/sdk-runtime NPM version =1.10.0, =1.0.0, =2.62.4 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191370...

@voiceflow/react-chat (>=1.0.3 <=2.62.4), @voiceflow/widget (>=1.0.3 <=1.7.13) potentially affected by unknown CVE via @voiceflow/slate-serializer (>=1.1.6 <=1.5.5)

@voiceflow/slate-serializer NPM version =1.1.6, =1.0.3, =1.0.3, =1.7.13 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191374...

@voiceflow/react-chat (>=1.59.4 <=1.65.2) potentially affected by unknown CVE via @voiceflow/stitches-react (=2.3.1)

@voiceflow/stitches-react NPM version =2.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on @voiceflow/stitches-react and may be impacted: - @voiceflow/react-chat =1.59.4, =1.65.2 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191375...

@voiceflow/alexa-types (>=2.14.43 <=2.15.62), @voiceflow/google-dfes-types (>=2.0.0 <=2.17.14) +3 more potentially affected by unknown CVE via @voiceflow/voiceflow-types (>=3.20.20 <=3.32.44)

@voiceflow/voiceflow-types NPM version =3.20.20, =2.14.43, =2.0.0, =2.20.44, =1.27.1, =1.0.5, =1.7.13 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191386...

MAL-2025-191367 Malicious code in @voiceflow/react-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7450440b7c3368ef719fcfa9511d7984fc38ed8b5279f4e49f414f588446915e The package @voiceflow/react-chat was found to contain malicious code. Source: ghsa-malware...

@actbase/react-native-tiktok contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

@actbase/react-native-kakao-channel contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

@actbase/react-native-actionsheet contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

@actbase/react-native-fast-image contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

Malicious code in @hover-design/react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 50c066ac501de3af9fd156e23b5fb0317b633da301c4cf66b12f2ae8429e0970 The package @hover-design/react was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191227 Malicious code in @hover-design/react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 50c066ac501de3af9fd156e23b5fb0317b633da301c4cf66b12f2ae8429e0970 The package @hover-design/react was found to contain malicious code. Source: ghsa-malware...

@hover-design/react (>=0.2.1-beta <=0.2.4-beta) potentially affected by unknown CVE via @hover-design/core (=0.0.1-beta)

@hover-design/core NPM version =0.0.1-beta is affected by a known vulnerability. The following packages have a transitive dependency on @hover-design/core and may be impacted: - @hover-design/react =0.2.1-beta, =0.2.4-beta Source cves: unknown CVE Source advisory: OSV:MAL-2025-191226...

EUVD-2025-199314

Malicious code in @fishingbooker/react-swiper npm...

MAL-2025-191224 Malicious code in @fishingbooker/react-swiper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06f57ab28c32fa764c92d001b6c970f064bf1c5544959b2c677d8ce8f26d3bd5 The package @fishingbooker/react-swiper was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191223 Malicious code in @fishingbooker/react-raty (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01a32900cd2e5c9e243d0183183c4b1e1fcb3b9e834f1bbc4ed5dd92087d73e1 The package @fishingbooker/react-raty was found to contain malicious code. Source: ghsa-malware...