MAL-2026-4719 Malicious code in weavedb-exm-sdk-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89 package.json declares "preinstall": "./bin/install-deps", which runs a 976KB UPX-packed Linux x86 ELF binary on every npm install. The package...

Insertion of Sensitive Information into Log File

Overview setup-php is a Setup PHP for use with GitHub Actions Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the process that configures GitHub tokens for Composer in workflows where an exact affected Composer version is pinned. An attacke...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

New NPM library hijacks (coa and rc)

On Thursday, November 4, 2021, barely more than a week after ua-parser-js was hijacked, another popular NPM library called coa Command-Option-Argument, which is used in React packages around the world, was hijacked to distribute credential-stealing malware. The developer community noticed somethi...