MAL-2026-4158 Malicious code in word-width (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in word-width (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@anydown/maildown (>=1.2.0 <=1.3.1), @posprint/command-builder (>=0.0.1 <=0.0.41) +25 more potentially affected by unknown CVE via word-width (=1.0.1)

word-width NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on word-width and may be impacted: - @anydown/maildown =1.2.0, =0.0.1, =1.0.0, =1.0.0, =1.1.1, =1.0.1, =1.0.7, =1.0.3, =1.1.0, =1.0.1, =0.2.1, =0.3.9 and more Source cves: unkno...