MAL-2026-5560 Malicious code in solana-web3-community (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 202fa4daf22c4ecace931dfbdbeee6821fe42c14956d35c763c55051528dee12 Package masquerades as the official @solana/web3.js SDK name solana-web3-community, author 'Solana Labs Maintainers ', repository...

Malicious code in @solana-labs/web3.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4 Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall node...

MAL-2026-5525 Malicious code in @solana-labs/web3.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4 Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall node...

MAL-2026-5528 Malicious code in events-runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca Package name and description impersonate the popular events package Node's event emitter for all engines. The vendored events.js adds an undocumented...

Malicious code in wallet-sdk-9 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...

MAL-2026-5360 Malicious code in wallet-sdk-9 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...

Malicious code in ethereum-kit-9 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...

MAL-2026-5356 Malicious code in ethereum-kit-9 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Campaign now...

MAL-2026-5353 Malicious code in crypto-utils-7 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling c960/c961. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 not rotated...

Malicious code in ethereum-kit-1 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling c960/c961. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 not rotated...

MAL-2026-5355 Malicious code in ethereum-kit-1 (npm)

Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling c960/c961. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 not rotated...

MAL-2026-5361 Malicious code in web3-tools-9 (npm)

Note: This report is updated by a verification record Crypto/SSH/wallet stealer, confirmed sibling of blockchain-helper-0 c960. postinstall scripts/postinstall.js auto-execs, src/index.js harvests /.ssh/idrsa + wallet keys/seeds + env, self-labels "CRYPTO STEALER", exfils to IDENTICAL hardcoded...

MAL-2026-3678 Malicious code in 8q (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a10addd46910ba157e59c0c301c15ea56de73adb23c4d3422520b67876cdc0e The package's declared main entry router.js is an IIFE that runs the moment an installer's code executes require'8q' or import '8q'. On load it...

Malicious code in 8oo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495 The package's main entry index.js executes an IIFE at require time that loads 66o.js, which replaces the global console with a Proxy. Every intercept...

MAL-2026-3677 Malicious code in 8oo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495 The package's main entry index.js executes an IIFE at require time that loads 66o.js, which replaces the global console with a Proxy. Every intercept...

Malicious code in 11j (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869 the analysis identified unambiguous malicious behavior in log.js the package main: an IIFE executes on require/import that monkey-patches...

MAL-2026-3670 Malicious code in 11j (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869 the analysis identified unambiguous malicious behavior in log.js the package main: an IIFE executes on require/import that monkey-patches...

Malicious code in modern-events (npm)

modern-events is a malicious npm package that when imported and using the function EventEmitter.emit... in file events.js exfiltrates local system information via telegram and slack and downloads a backdoor Win64/FaxedCook to C:/ProgramData/Policy/PublisherPolicy.tms. --- -= Per source details. D...

New PXA Stealer Malware Targets Banks, Uses Telegram to Exfiltrate Data

CyberProof researchers have detected a 10% surge in PXA Stealer attacks targeting financial institutions in Q1 2026. Learn…...

Malicious code in fastapi-middleware-cors (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 305178589615e2247b892b3e305e5fd69a0fc02092f0b115b6b384441f5ddd46 Library disguised as FastAPI helper is executing obfuscated code during importing the module. The code is highly obfuscated; the code seems to contain an...