Malicious code in ethers-multicall-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe5e969b4ca41dbbd6ef1c04c12d48906ea4477b39493e766045effd4939d748 On npm install, the package's postinstall script spawns node -e to run an inline childprocess.execSync that curls a binary from...

MAL-2026-4240 Malicious code in ethers-multicall-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe5e969b4ca41dbbd6ef1c04c12d48906ea4477b39493e766045effd4939d748 On npm install, the package's postinstall script spawns node -e to run an inline childprocess.execSync that curls a binary from...

oci-utils security update

-- 0.14.0-22 - Rework systemd service file creation. Orabug: 39316494...

Oracle Linux 8 : oci-utils (ELSA-2026-65763)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-65763 advisory. -- 0.14.0-22 - Rework systemd service file creation. Orabug: 39316494 Tenable has extracted the preceding description block directly from the Oracle Linux...

Malicious code in dabrius-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 381f128317bd76fe2e5d34df5decd7f27475bff72e646ccdb19cb1334a068b07 Package is local-only PoC of supply chain attack. The commented code and name reveals relation to the previously uploaded package containing data exfiltration...

MAL-2026-4176 Malicious code in dabrius-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 381f128317bd76fe2e5d34df5decd7f27475bff72e646ccdb19cb1334a068b07 Package is local-only PoC of supply chain attack. The commented code and name reveals relation to the previously uploaded package containing data exfiltration...

MAL-2026-4053 Malicious code in @antv/l7-utils (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/l7-utils (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/l7 (>=2.1.13 <=2.25.10), @antv/l7-component (>=2.0.0-beta.1 <=2.25.10) +13 more potentially affected by unknown CVE via @antv/l7-utils (>=2.0.0-beta.1 <=2.25.9)

@antv/l7-utils NPM version =2.0.0-beta.1, =2.1.13, =2.0.0-beta.1, =2.0.0-beta.1, =2.1.13, =2.1.13, =2.10.0, =2.1.13, =2.10.0, =2.1.13, =2.1.13, =2.1.13, =2.0.0-beta.1, =2.10.0, =1.0.0, =1.0.17, =1.0.18 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVL7UTILS-16754432...

@antv/torch (>=1.0.0 <=1.0.6), @diogoxiang/utils (=1.0.0) potentially affected by unknown CVE via @antv/istanbul (=0.0.0)

@antv/istanbul NPM version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/istanbul and may be impacted: - @antv/torch =1.0.0, =1.0.6 - @diogoxiang/utils =1.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVISTANBUL-16754945...

@antv/torch (>=1.0.0 <=1.0.6), @diogoxiang/utils (=1.0.0) potentially affected by unknown CVE via @antv/istanbul (=0.0.0)

@antv/istanbul NPM version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/istanbul and may be impacted: - @antv/torch =1.0.0, =1.0.6 - @diogoxiang/utils =1.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVISTANBUL-16755114...

crypto-utils-box (=0.0.6), knk (=0.1.11) +1 more potentially affected by unknown CVE via xmorse (=1.0.0)

xmorse NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on xmorse and may be impacted: - crypto-utils-box =0.0.6 - knk =0.1.11 - vite-plugin-qwer =0.0.5, =0.0.7 Source cves: unknown CVE Source advisory: SNYK:JS-XMORSE-16755071...

@diogoxiang/utils (=1.0.0) potentially affected by unknown CVE via @antv/torch (=1.0.6)

@antv/torch NPM version =1.0.6 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/torch and may be impacted: - @diogoxiang/utils =1.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVTORCH-16754422...

crypto-utils-box (=0.0.6), knk (=0.1.11) +1 more potentially affected by unknown CVE via xmorse (=1.0.0)

xmorse NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on xmorse and may be impacted: - crypto-utils-box =0.0.6 - knk =0.1.11 - vite-plugin-qwer =0.0.5, =0.0.7 Source cves: unknown CVE Source advisory: SNYK:JS-XMORSE-16754902...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

GHSA-CMXG-94MG-JQ94 @tmlmobilidade/utils has prototype pollution in its setValueAtPath

Impact Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath. Patches A fix is available in versions 20260509.0340.15 and up...

@tmlmobilidade/utils has prototype pollution in its setValueAtPath

Impact Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath. Patches A fix is available in versions 20260509.0340.15 and up...

MAL-2026-3831 Malicious code in citrea-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9af3ffcf057e7fa952c80b46cbee31773e340ba668377511d7f3ee3b38c1c810 The package citrea-utils was found to contain malicious code. Source: ghsa-malware 0cbde9fcd3b6b009f9d8b0ff2dc739d877beb20223d14d402fcbc90515470eac A...

Malicious Package

Overview citrea-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

arbor-ai (>=0.1.5 <=0.1.14), coreason-runtime (>=0.1.0 <=0.31.0) +10 more potentially affected by CVE-2026-7304 via sglang (>=0.4.5 <=0.5.2)

sglang PYPI version =0.4.5, =0.1.5, =0.1.0, =1.1.0, =2.0.0b40, =0.0.1, =0.1.0, =0.1.0, =0.0.1.post1, =0.0.0, =0.8.0, =0.10.7 Source cves: CVE-2026-7304 Source advisory: SNYK:PYTHON-SGLANG-17111815...