Malicious code in node-fetch-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78aef0d64a7d761d2987d27aea462083425e5692475cd81332b7a3152c754308 On Windows, scripts/postinstall.js XOR-decodes a hardcoded C2 host node22.lunes.host:3258, authenticates with a 5-minute rolling HMAC-SHA256 token,...

@hulumi/platform-patterns (>=0.0.0-bootstrap.0 <=1.3.2) potentially affected by CVE-2026-48037 via @hulumi/baseline (>=1.3.1 <=1.3.2)

@hulumi/baseline NPM version =1.3.1, =0.0.0-bootstrap.0, =1.3.2 Source cves: CVE-2026-48037 Source advisory: OSV:GHSA-CJ8G-PRCM-MFG5...

@hulumi/platform-patterns (>=0.0.0-bootstrap.0 <=1.3.2) potentially affected by CVE-2026-48035 via @hulumi/baseline (>=1.3.1 <=1.3.2)

@hulumi/baseline NPM version =1.3.1, =0.0.0-bootstrap.0, =1.3.2 Source cves: CVE-2026-48035 Source advisory: OSV:GHSA-2MXR-P26X-MJ73...

openpaw-graveyard (=3.0.0) potentially affected by unknown CVE via @solana-launchpad/sdk (=1.0.13)

@solana-launchpad/sdk NPM version =1.0.13 is affected by a known vulnerability. The following packages have a transitive dependency on @solana-launchpad/sdk and may be impacted: - openpaw-graveyard =3.0.0 Source cves: unknown CVE Source advisory: OSV:MAL-2026-5495...

Malicious code in commons-ui-styles (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9fb701d18bde61d1dc783f0575a4d83bc0eba2653bd0832d0fc26bc9e85b48 [email protected] is an empty placeholder package index.js exports , description/author blank, version bumped to 99.9.1 — the classic...

MAL-2026-5437 Malicious code in commons-ui-styles (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9fb701d18bde61d1dc783f0575a4d83bc0eba2653bd0832d0fc26bc9e85b48 [email protected] is an empty placeholder package index.js exports , description/author blank, version bumped to 99.9.1 — the classic...

MAL-2026-5447 Malicious code in localization-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94 [email protected] is an empty shell package: index.js is module.exports = and package.json has no description or author. Its dependencies...

Malicious code in @sourceflow-uk/sourceflow-tracker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...

MAL-2026-5430 Malicious code in @sourceflow-uk/sourceflow-tracker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...

5gasp-cli (>=0.1.0 <=0.4.0), agentos (>=0.1.0 <=0.2.0) +605 more potentially affected by CVE-2026-47734 via dulwich (>=0.20.2 <=1.0.0)

dulwich PYPI version =0.20.2, =0.1.0, =0.1.0, =0.5.1, =21.7.1, =0.0.1, =0.1.0, =1.3.4, =2023.2.21, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.5.1 and more Source cves: CVE-2026-47734 Source advisory: OSV:GHSA-XRVJ-V92F-53GJ...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2174 more potentially affected by CVE-2026-45674 via io.netty:netty-resolver-dns (>=4.2.0.Final <=4.2.14.Final)

io.netty:netty-resolver-dns MAVEN version =4.2.0.Final, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-45674 Source advisory: OSV:GHSA-676X-F7GG-47VC...

ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-metrics (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +14331 more potentially affected by CVE-2026-45674 via io.netty:netty-resolver-dns (>=4.1.0.Beta7 <=4.1.134.Final)

io.netty:netty-resolver-dns MAVEN version =4.1.0.Beta7, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves: CVE-2026-45674 Sour...

ai.h2o:h2o-algos (=0.1.9), ai.h2o:h2o-app (=0.1.9) +2025 more potentially affected by CVE-2026-45536 via io.netty:netty-transport-native-kqueue (>=4.1.11.Final <=4.1.134.Final)

io.netty:netty-transport-native-kqueue MAVEN version =4.1.11.Final, =3.30.1.1, =3.10.0.5, =0.2.3.5, =2.4.0, =1.5.0, =3.0.0, =3.0.0, =1.0.3, =4.4.0, =4.7.3 and more Source cves: CVE-2026-45536 Source advisory: OSV:GHSA-W573-9FFJ-6FF9...

ai.spice:spiceai (=0.6.0), cn.isqing.icloud:icloud-common-utils (>=4.0.3-M1 <=4.0.3.1) +619 more potentially affected by CVE-2026-44893 via io.netty:netty-codec-haproxy (>=4.2.0.Final <=4.2.14.Final)

io.netty:netty-codec-haproxy MAVEN version =4.2.0.Final, =4.0.3-M1, =1.21.9, =3.4.7, =25.4.1, =26.2.1, =7.9.0, =5.1.0, =5.1.0, =6.80, =6.84 and more Source cves: CVE-2026-44893 Source advisory: OSV:GHSA-CC37-9Q2J-3HFV...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +4133 more potentially affected by CVE-2026-44249 via io.netty:netty-handler (>=4.2.0.Final <=4.2.14.Final)

io.netty:netty-handler MAVEN version =4.2.0.Final, =0.1.0, =0.1.0, =4.7.4, =4.7.4, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-44249 Source advisory: OSV:GHSA-3QP7-7MW8-WX86...

res (>=0.2.0 <=0.3.0), scroller-motion (>=0.0.1-beta.2 <=0.0.1-beta.3) potentially affected by CVE-2026-42890 via actual (>=0.2.0 <=0.4.0)

actual NPM version =0.2.0, =0.2.0, =0.0.1-beta.2, =0.0.1-beta.3 Source cves: CVE-2026-42890 Source advisory: OSV:GHSA-7RVM-XJPP-63R9...

apheris-auth (=0.23.0), apheris-cli (>=0.51.0 <=0.52.0) +1 more potentially affected by CVE-2026-41479 via authlib (=1.7.0)

authlib PYPI version =1.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on authlib and may be impacted: - apheris-auth =0.23.0 - apheris-cli =0.51.0, =1.3.0, =1.3.0b4 Source cves: CVE-2026-41479 Source advisory: OSV:GHSA-W8P2-R796-3VMQ...

dbgate-serve (>=7.0.0 <=7.1.13), dbmodel (>=7.0.0 <=7.1.13) potentially affected by CVE-2026-48017 via dbgate-api (>=7.1.10 <=7.1.8)

dbgate-api NPM version =7.1.10, =7.0.0, =7.0.0, =7.1.13 Source cves: CVE-2026-48017 Source advisory: SNYK:JS-DBGATEAPI-17223766...

mrbios (=0.1.0) potentially affected by unknown CVE via executor-http (=0.1.2)

executor-http PYPI version =0.1.2 is affected by a known vulnerability. The following packages have a transitive dependency on executor-http and may be impacted: - mrbios =0.1.0 Source cves: unknown CVE Source advisory: SNYK:PYTHON-EXECUTORHTTP-17220138...

napari-ufish (=0.0.1) potentially affected by unknown CVE via ufish (=0.1.1)

ufish PYPI version =0.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on ufish and may be impacted: - napari-ufish =0.0.1 Source cves: unknown CVE Source advisory: SNYK:PYTHON-UFISH-17220150...