MAL-2026-4825 Malicious code in cdktn-provider-newrelic (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51996ccf23fd3d3b291f945e2ec88504c93d7e302e183c7633632b8a03d1590d Package name 'cdktn-provider-newrelic' is a single-character edit cdktf→cdktn of HashiCorp's official 'cdktf-provider-newrelic' CDK for Terraform...

MAL-2026-4489 Malicious code in auth0-templates-scripts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6 Package name 'auth0-templates-scripts' impersonates the Auth0 Okta brand without affiliation. The author field is the placeholder 'OpenSource...

Malicious code in auth0-templates-scripts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6 Package name 'auth0-templates-scripts' impersonates the Auth0 Okta brand without affiliation. The author field is the placeholder 'OpenSource...

MAL-2026-4624 Malicious code in nw-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e3ff057a42800ad78024ac1c48e0d6fbf9c828eb828a41e6737c32b6174ce8c Package is published publicly on npm at version 100.20.33 — a version-number shape used in dependency-confusion attacks to outrank private internal...

Malicious code in @qwedqwed/axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 119efce3cb464ef8c7b605ec49768619ac9ef49b9981d4b0a530ff1829194b8c @qwedqwed/axios republishes the legitimate axios source verbatim under an unrelated scope, copies the original author metadata Matt Zabriskie for...

Malicious code in axiosqqq (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9cf5bc7a896b21f9af923c60b9283758bf46d4fb279f752a42bae43bb6006aa Package name axiosqqq is a 3-character-suffix typosquat of axios and ships axios's verbatim source, README, and CHANGELOG to impersonate the legitima...

com.squareup.wire:wire-grpc-client (=7.0.0-alpha01), com.squareup.wire:wire-schema (=7.0.0-alpha01) +1 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (=7.0.0-alpha01)

com.squareup.wire:wire-runtime MAVEN version =7.0.0-alpha01 is affected by a known vulnerability. The following packages have a transitive dependency on com.squareup.wire:wire-runtime and may be impacted: - com.squareup.wire:wire-grpc-client =7.0.0-alpha01 - com.squareup.wire:wire-schema...

IMAPServer (=0.2.0), IMAPServer-cli (=0.1.0) +368 more potentially affected by unknown CVE via diesel (>=0.10.1 <=2.3.4)

diesel CARGO version =0.10.1, =0.1.0, =0.1.0, =0.1.0, =0.4.0, =0.1.4, =0.1.11, =0.1.0, =0.5.0, =0.1.0, =0.1.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-Q8X8-JRHJ-FH9P...

MAL-2026-4700 Malicious code in venturo-playwright (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 602d8b957dc823f0dd6ac61f115e23fce1b433683873a9f4f8351dcbe9a37035 Package presents itself as Microsoft's Playwright: package.json description 'A high-level API to automate web browsers' is Playwright's exact tagline...

libcrux-aead (>=0.0.4 <=0.0.7-rc.1) potentially affected by unknown CVE via libcrux-chacha20poly1305 (>=0.0.4 <=0.0.7)

libcrux-chacha20poly1305 CARGO version =0.0.4, =0.0.4, =0.0.7-rc.1 Source cves: unknown CVE Source advisory: OSV:GHSA-HC3C-63HC-2R9F...

@jacobgardos/vuxtify (>=1.0.2 <=1.0.3) potentially affected by CVE-2026-45670 via @nuxt/webpack-builder (=3.21.5)

@nuxt/webpack-builder NPM version =3.21.5 is affected by a known vulnerability. The following packages have a transitive dependency on @nuxt/webpack-builder and may be impacted: - @jacobgardos/vuxtify =1.0.2, =1.0.3 Source cves: CVE-2026-45670 Source advisory: OSV:GHSA-6M52-M754-PW2G...

@haxtheweb/create (>=10.0.0 <=25.0.2), @haxtheweb/open-apis (=11.0.2) +1 more potentially affected by CVE-2026-46391 via @haxtheweb/open-apis (>=10.0.1 <=25.0.0)

@haxtheweb/open-apis NPM version =10.0.1, =10.0.0, =1.0.0, =1.0.7 Source cves: CVE-2026-46391 Source advisory: OSV:GHSA-4FG7-F244-3J49...

@next-theme/plugins (>=0.0.1 <=8.27.0), baxx (>=2.0.2 <=2.0.4) potentially affected by unknown CVE via ribbon.js (=1.0.2)

ribbon.js NPM version =1.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on ribbon.js and may be impacted: - @next-theme/plugins =0.0.1, =2.0.2, =2.0.4 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4152...

@haloe/mobile-pro (>=0.0.1 <=4.1.0) potentially affected by unknown CVE via @antv/f2-vue (=4.0.33)

@antv/f2-vue NPM version =4.0.33 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/f2-vue and may be impacted: - @haloe/mobile-pro =0.0.1, =4.1.0 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3897...

@antv/g6 (>=4.1.0 <=4.1.16), @antv/g6-pc (>=0.0.1 <=0.1.3) +5 more potentially affected by unknown CVE via @antv/g6-element (>=0.0.1 <=0.0.9)

@antv/g6-element NPM version =0.0.1, =4.1.0, =0.0.1, =2.0.0, =2.0.6, =0.0.1, =0.0.1, =0.0.3 - motif-jupyter =0.0.1-beta.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3987...

@antv/li-sam-assets (>=0.1.1 <=0.1.4) potentially affected by unknown CVE via @antv/insight-component (=1.0.0)

@antv/insight-component NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/insight-component and may be impacted: - @antv/li-sam-assets =0.1.1, =0.1.4 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4029...

djanjucks (>=0.0.1 <=0.0.3) potentially affected by unknown CVE via slice.js (=1.1.1)

slice.js NPM version =1.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on slice.js and may be impacted: - djanjucks =0.0.1, =0.0.3 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4154...

@kqinfo/ui (=1.2.12), ai-sales-card (=1.4.1) potentially affected by unknown CVE via @antv/wx-f2 (=2.1.1)

@antv/wx-f2 NPM version =2.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/wx-f2 and may be impacted: - @kqinfo/ui =1.2.12 - ai-sales-card =1.4.1 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4097...

hik-mapbox (>=0.0.1 <=1.4.3) potentially affected by unknown CVE via @antv/l7-three (=2.25.4)

@antv/l7-three NPM version =2.25.4 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/l7-three and may be impacted: - hik-mapbox =0.0.1, =1.4.3 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4052...

@als-tp/als-react-ts-ui (>=0.10.1 <=0.15.4), @axiom-lattice/react-sdk (>=2.1.17 <=2.1.66) +10 more potentially affected by unknown CVE via @antv/infographic (>=0.2.16 <=0.2.2)

@antv/infographic NPM version =0.2.16, =0.10.1, =2.1.17, =0.1.1, =0.3.2, =0.1.0, =0.0.1, =0.1.0, =1.0.1, =1.0.0, =1.0.0, =1.3.0, =2.0.0 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4028...