module-mobile-js (>=1.3.8 <=1.4.0), react-native-iris-sdk (>=3.3.16 <=3.3.31) potentially affected by unknown CVE via react-native-log-level (=1.2.0)

react-native-log-level NPM version =1.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on react-native-log-level and may be impacted: - module-mobile-js =1.3.8, =3.3.16, =3.3.31 Source cves: unknown CVE Source advisory:...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

@achinet/nestjs-async (>=0.1.0 <=0.2.0), @aligov/clark-core (>=3.0.0 <=3.0.1) +36 more potentially affected by unknown CVE via @asyncapi/generator-react-sdk (>=1.1.2 <=1.1.3)

@asyncapi/generator-react-sdk NPM version =1.1.2, =0.1.0, =3.0.0, =4.1.3, =0.24.0, =1.10.14, =0.2.0, =0.1.0, =1.0.0, =0.2.2, =1.3.3, =2.0.0, =0.16.0, =0.16.23 - @asyncapi/template-dart-websocket-client =0.0.1 - @asyncapi/template-java-websocket-quarkus =0.0.1 -...

financelabsutilities (>=0.0.8 <=0.0.10) potentially affected by unknown CVE via react-hook-form-persist (=3.0.0)

react-hook-form-persist NPM version =3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on react-hook-form-persist and may be impacted: - financelabsutilities =0.0.8, =0.0.10 Source cves: unknown CVE Source advisory: SNYK:JS-REACTHOOKFORMPERSIST-141036...

@jbrowse/core (>=1.4.0 <=1.7.3), @persistr/js (>=3.6.3 <=3.14.0) +5 more potentially affected by unknown CVE via tenacious-fetch (=2.3.1)

tenacious-fetch NPM version =2.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on tenacious-fetch and may be impacted: - @jbrowse/core =1.4.0, =3.6.3, =1.0.5, =1.0.0, =1.2.0 Source cves: unknown CVE Source advisory: SNYK:JS-TENACIOUSFETCH-14103737...

@voiceflow/widget (>=1.0.3 <=1.7.13) potentially affected by unknown CVE via @voiceflow/react-chat (>=1.0.3 <=1.47.4)

@voiceflow/react-chat NPM version =1.0.3, =1.0.3, =1.7.13 Source cves: unknown CVE Source advisory: SNYK:JS-VOICEFLOWREACTCHAT-14103429...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

@lessondesk/schoolbus (>=3.0.43 <=5.2.1) potentially affected by unknown CVE via @tiaanduplessis/react-progressbar (=1.0.0)

@tiaanduplessis/react-progressbar NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @tiaanduplessis/react-progressbar and may be impacted: - @lessondesk/schoolbus =3.0.43, =5.2.1 Source cves: unknown CVE Source advisory:...

@voiceflow/alexa-types (>=2.14.43 <=2.15.62), @voiceflow/google-dfes-types (>=2.0.0 <=2.17.14) +3 more potentially affected by unknown CVE via @voiceflow/voiceflow-types (>=3.20.20 <=3.32.44)

@voiceflow/voiceflow-types NPM version =3.20.20, =2.14.43, =2.0.0, =2.20.44, =1.27.1, =1.0.5, =1.7.13 Source cves: unknown CVE Source advisory: SNYK:JS-VOICEFLOWVOICEFLOWTYPES-14103448...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

@voiceflow/react-chat (>=1.59.4 <=1.65.2) potentially affected by unknown CVE via @voiceflow/stitches-react (=2.3.1)

@voiceflow/stitches-react NPM version =2.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on @voiceflow/stitches-react and may be impacted: - @voiceflow/react-chat =1.59.4, =1.65.2 Source cves: unknown CVE Source advisory:...

@everreal/react-charts (>=1.0.0 <=1.0.1-ff20697), @everreal/web-analytics (>=0.0.3 <=0.0.12) +1 more potentially affected by unknown CVE via undefsafe-typed (=1.0.2)

undefsafe-typed NPM version =1.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on undefsafe-typed and may be impacted: - @everreal/react-charts =1.0.0, =0.0.3, =1.1.17, =1.2.5 Source cves: unknown CVE Source advisory: SNYK:JS-UNDEFSAFETYPED-14103745...

@digifox/providers (=5.0.3), @wowpay/react-native-sdk (>=1.0.3 <=1.0.21) +3 more potentially affected by unknown CVE via react-native-websocket (=1.0.2)

react-native-websocket NPM version =1.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on react-native-websocket and may be impacted: - @digifox/providers =5.0.3 - @wowpay/react-native-sdk =1.0.3, =1.0.0, =1.0.0, =1.0.0, =1.0.2 Source cves: unknown CVE...

@voiceflow/react-chat (>=1.59.4 <=2.62.4), @voiceflow/sdk-runtime (>=1.18.1 <=1.29.0-alpha.1) potentially affected by unknown CVE via @voiceflow/dtos-interact (>=1.10.0 <=1.26.0)

@voiceflow/dtos-interact NPM version =1.10.0, =1.59.4, =1.18.1, =1.29.0-alpha.1 Source cves: unknown CVE Source advisory: SNYK:JS-VOICEFLOWDTOSINTERACT-14103405...

@voiceflow/alexa-types (>=2.15.0 <=2.15.62), @voiceflow/google-dfes-types (>=2.17.0 <=2.17.7) +3 more potentially affected by unknown CVE via @voiceflow/voice-types (>=2.10.0 <=2.10.57)

@voiceflow/voice-types NPM version =2.10.0, =2.15.0, =2.17.0, =2.21.0, =1.60.2, =3.30.0, =3.32.47 Source cves: unknown CVE Source advisory: SNYK:JS-VOICEFLOWVOICETYPES-14103447...

EUVD-2025-198962

Malicious code in @darwinex/react-custom-scrollbars npm...

Malicious code in @darwinex/react-custom-scrollbars (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c14e6f6b8558a92600a6b705cd18fbcfc9eca9a163fcd69c792492154fbe37e The package @darwinex/react-custom-scrollbars was found to contain malicious code...

MAL-2025-190865 Malicious code in @darwinex/react-custom-scrollbars (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c14e6f6b8558a92600a6b705cd18fbcfc9eca9a163fcd69c792492154fbe37e The package @darwinex/react-custom-scrollbars was found to contain malicious code...

Malicious code in poper-react-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ee86d01d82c77cc7c83c6d28159deba7fa26192da0ab69659d92f78f4d41cd60 The package poper-react-sdk was found to contain malicious code. Source: ghsa-malware 2c3b77a8909da7a5fe13a2fba433147468dfa75dee206eaa996325423e38244...

EUVD-2025-198820

Malicious code in poper-react-sdk npm...