SUSE CVE-2026-33249

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject,...

Unauthorized npm publish of [email protected] with modified postinstall script

Description On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected]. The published package contains a modified package.json with an added postinstall script: "postinstall": "npm install -g...

GHSA-9PPG-JX86-FQW7 Unauthorized npm publish of [email protected] with modified postinstall script

Description On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected]. The published package contains a modified package.json with an added postinstall script: "postinstall": "npm install -g...

MAL-2025-144935 Malicious code in meteor-semantic-release-inquirer-pegasus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09d1b5167b18e8d059fdc524c027f92ebfb7134ffd5ec7a564dea081c41e2869 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-106639 Malicious code in okta-lutis35-ruro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d045b705a2e344682252b124cfd1dd26bf2fb74c064d497afe7e7391ff9b063 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-52120 Malicious code in kiki-lapis22-sluey (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd98f4c5ec1fc03f3eda36f4f7b61b04a356f10a2d31fda18798ad7a9c2b6fc3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-50367 Malicious code in fadhil-keripik41-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81d7f2345ddd8c567fff75e18c373d32539ed4ab1de5fa390da3a1b5abd554ea The package fadhil-keripik41-riris was found to contain malicious code. This package appears to be part of the tea.xyz token reward campaign that...

GHSA-PV55-R6J3-WP94 Malicious Package in eslint-config-eslint

Version 5.0.2 of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. Recommendation The best course of action if you found this package installed i...