Malicious code in chalk-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce Package is published as 'chalk-pro' homepage chalk-pro.com but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both...

Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

MAL-2026-5578 Malicious code in webpack-cache-clean (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9 On npm install, the package runs a postinstall hook node -e "require'./loader.js'" that spawns a detached child process. The child decodes an...

Malicious code in webpack-cache-clean (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9 On npm install, the package runs a postinstall hook node -e "require'./loader.js'" that spawns a detached child process. The child decodes an...

Malicious code in wm-idp-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain...

Malicious code in midpatch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe668e556f4b46fce125c318ebc3bea93185c78ec36c19f8991bbcb36172a62b The package advertises a logger middleware keywords fast/logger/stream/json, exports module.exports.pino = middleware, file.js wraps a ./pino module ...

Malicious code in oh-langfuse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037 The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding...

Malicious code in git-userhub (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 859f77ac10aa89722823e0477f8f6986db2b54dd25b1b2aedb05ee31d5891071 Package name 'git-userhub' is a lookalike of a GitHub-related identity, with no legitimate publisher backing. The package.json declares a postinstall...

Malicious code in vite-json-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd The package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths createMatchPath, matchFromAbsolutePaths,...

MAL-2026-4705 Malicious code in vite-json-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd The package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths createMatchPath, matchFromAbsolutePaths,...

Malicious code in get-deps-path (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...

Malicious code in crypto-hash-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 208571de648a5ef9d7b4ae7b6f83151d9c2272f75fc16b42faa75a352ded2e08 Package name and metadata impersonate Sindre Sorhus's legitimate crypto-hash package forged author Sindre Sorhus and repository...

MAL-2026-3775 Malicious code in tsliverhome (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0855b4d02a0d276e8a6cf97b7c62d457b8ef4d851e243d758c2308d451e0876e Package name 'tsliverhome' impersonates the widely-used 'tslib' package 300M weekly downloads. The shipped README.md is a verbatim copy of...