Malicious code in unico-android (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c642a2e29290c07b5c7eb9481ad34f1b907e43ffe5edd8c33f67254f4e9a192 On npm install, the package.json preinstall hook runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query parameters...

Malicious code in unico-check (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d package.json declares a preinstall lifecycle hook that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f, passing the...

MAL-2026-5830 Malicious code in unico-check (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d package.json declares a preinstall lifecycle hook that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f, passing the...

Malicious code in nic-datagov (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89be7e0ea4d164dad90f5476041928d54d5502a066e22d501373e1bbf9dc8bbf package.json declares a preinstall script that runs curl --data-urlencode "info=$hostname && whoami && pwd"...

Malicious code in @achuthvp/postinstall-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9 package.json declares scripts.postinstall = node postinstall.js. On every npm install, postinstall.js runs execSync'id' and POSTs a JSON body...

MAL-2026-5741 Malicious code in @achuthvp/postinstall-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9 package.json declares scripts.postinstall = node postinstall.js. On every npm install, postinstall.js runs execSync'id' and POSTs a JSON body...

MAL-2026-5468 Malicious code in getd-pantallas-cliente (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89a26267435645776aa984be114d5c657e63fa9937ff044e5ddd24943b28ea6e On npm install, postinstall.js collects os.hostname, os.userInfo.username, os.platform, process.cwd, and CI/build environment variables and sends the...

Malicious code in getd-typescript-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers...

MAL-2026-5470 Malicious code in getd-typescript-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers...

Malicious code in gethandler-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0b6925d4c07df297f8cb573df4d85a396794d8793179e7a97f2cfde3aadfcfbc On npm install, postinstall.js unconditionally sends an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying the installer...

MAL-2026-5473 Malicious code in gethandler-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0b6925d4c07df297f8cb573df4d85a396794d8793179e7a97f2cfde3aadfcfbc On npm install, postinstall.js unconditionally sends an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying the installer...

MAL-2026-5471 Malicious code in getd-ui-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcdbf66757b102ed524f01c498adae819b02968aa455f57316f4e08af1fb9ea0 On npm install, postinstall.js runs unconditionally scripts.postinstall = 'node postinstall.js' and sends an HTTPS GET to a hardcoded webhook.site UR...

Malicious code in getd-content-management (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44eb41541c340c710ad8afc366ab4642d3809d8d9afef53b99e3704b9dfb684b The unscoped package name 'getd-content-management' impersonates the legitimate @getd/ npm scope acknowledged in the package's own README. On npm...

Malicious code in react-malicious-clone (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f03498aa5167e02289d4c8984282f6a1b6321af60fb9ff04d0ce9503faefffdd Package name impersonates React and the package.json copies React's description, homepage react.dev, bugs URL, and canary versioning scheme. On...

Malicious code in ignite-market-contractstest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da package.json declares a preinstall lifecycle hook that runs wget --quiet...

MAL-2026-4565 Malicious code in fnd-stores (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62c9035e303ec731c71c689ed77eed17b245cd4adc475cb616ff94991539aa56 On npm install, the package's postinstall hook runs node index.js, which collects the installer's hostname, OS platform, current working directory, C...

MAL-2026-4389 Malicious code in @flipbit2-bb/test-auth-state (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63 On npm install, a postinstall script phone-home.js collects os.hostname, os.userInfo.username, process.platform + os.release, a timestamp, and a...

Malicious code in microsoft-agents-auth-service (npm)

Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values e.g. 99.9.x, 100.1.x to win npm resolution against private internal packages. All packages...

Malicious code in paypal-payouts-bridge (npm)

Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values e.g. 99.9.x, 100.1.x to win npm resolution against private internal packages. All packages...

Malicious code in apple-infra-network-v2 (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...