30 matches found
Malicious code in @oliviamcdaniel12/safer-buffer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55129478b44191f3a4bb3308036567d5e2eb1a73084511b424917b6b5f7bf50f Package impersonates the popular safer-buffer module. On require, safer.js reads a PID from Porting-Buffer.md and, if that process is not alive, spaw...
MAL-2026-5560 Malicious code in solana-web3-community (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 202fa4daf22c4ecace931dfbdbeee6821fe42c14956d35c763c55051528dee12 Package masquerades as the official @solana/web3.js SDK name solana-web3-community, author 'Solana Labs Maintainers ', repository...
Malicious code in @solana-labs/web3.js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4 Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall node...
MAL-2026-5525 Malicious code in @solana-labs/web3.js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4 Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall node...
MAL-2026-5528 Malicious code in events-runtime (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca Package name and description impersonate the popular events package Node's event emitter for all engines. The vendored events.js adds an undocumented...
Malicious code in wallet-sdk-9 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...
MAL-2026-5360 Malicious code in wallet-sdk-9 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...
Malicious code in ethereum-kit-9 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...
MAL-2026-5356 Malicious code in ethereum-kit-9 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...
MAL-2026-5353 Malicious code in crypto-utils-7 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling c960/c961. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 not rotated...
Malicious code in ethereum-kit-1 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling c960/c961. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 not rotated...
MAL-2026-5355 Malicious code in ethereum-kit-1 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling c960/c961. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 not rotated...
MAL-2026-5361 Malicious code in web3-tools-9 (npm)
Note: This report is updated by a verification record Crypto/SSH/wallet stealer, confirmed sibling of blockchain-helper-0 c960. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa + wallet keys/seeds + env, self-labels "CRYPTO STEALER", exfils to IDENTICAL hardcoded...
MAL-2026-3678 Malicious code in 8q (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a10addd46910ba157e59c0c301c15ea56de73adb23c4d3422520b67876cdc0e The package's declared main entry router.js is an IIFE that runs the moment an installer's code executes require'8q' or import '8q'. On load it...
Malicious code in 8oo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495 The package's main entry index.js executes an IIFE at require time that loads 66o.js, which replaces the global console with a Proxy. Every intercept...
MAL-2026-3677 Malicious code in 8oo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495 The package's main entry index.js executes an IIFE at require time that loads 66o.js, which replaces the global console with a Proxy. Every intercept...
MAL-2026-3670 Malicious code in 11j (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869 the analysis identified unambiguous malicious behavior in log.js the package main: an IIFE executes on require/import that monkey-patches...
Malicious code in 11j (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869 the analysis identified unambiguous malicious behavior in log.js the package main: an IIFE executes on require/import that monkey-patches...
Malicious code in modern-events (npm)
modern-events is a malicious npm package that when imported and using the function EventEmitter.emit... in file events.js exfiltrates local system information via telegram and slack and downloads a backdoor Win64/FaxedCook to C:/ProgramData/Policy/PublisherPolicy.tms. --- -= Per source details. D...
New PXA Stealer Malware Targets Banks, Uses Telegram to Exfiltrate Data
CyberProof researchers have detected a 10% surge in PXA Stealer attacks targeting financial institutions in Q1 2026. Learn…...