Malicious code in tailwindcss-style-typography (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b625db5a21e8ed06ca7ce3b8d75adeff20b4179dbebe797b13486039aa74d6ea The package tailwindcss-style-typography was found to contain malicious code. Source: ghsa-malware...

Malicious code in ms-affiliate-links (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 341048b16926b4d40796ca96aef3816934a2b84602c26451638154b6d90ab5d8 The package ms-affiliate-links was found to contain malicious code. Source: ghsa-malware...

Malicious code in pckg-sv (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2ae45d504dadccaa437ebeaa729136ca7b38074149772b076c7abb34ab1e81f4 Code exfiltrates sensitive crypto wallet's files and sets up a keylogger trying to catch the password to the wallet --- Category: MALICIOUS - The campaign has...

Malicious code in asciitoart (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d91767b12efcd1ad71b86b8d6770f33ddd3f1bfdec795dc04fd1d743a63a4591 Through an obscure way, one of the package files got overwritten by a remote obfuscated code, which appears to be an infostealer. After executing the malicious...

Malicious code in @hrb-web/nuxt (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a79331843c585d4b6aa2d8f3256bd25c779d32339f82b689841407d6cf4b6f67 The package @hrb-web/nuxt was found to contain malicious code. Source: ghsa-malware e1fadac986a7b5658d8d9eb34082aba1718b1258ce2bda956c044c474c2a298c...

Malicious code in @hmm-app/api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a791765dda3352bb35bb02103a904c3a2a17217074721eb39a1e9e8e89687795 The package @hmm-app/api was found to contain malicious code. Source: ghsa-malware 7c883cf4762be6f3e07bf37a48472ac4ff6a8bbe781c4f0f40ca18b832c2c48a A...

Malicious code in @bokehjs/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c6f4339e19ee914380a69c5c69b600db7df1412b41db50a539eb87db984f68c The package @bokehjs/core was found to contain malicious code. Source: ghsa-malware 6e18981ac8adec7cb489a1be8841f5f6862c8f1298c570346d5210c99dd275fe...

Malicious code in etsy-advocacy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 954b1d4bfe5cfc54379a9fc61d30f5941755592aea62781a2a17e175d6eb38f3 The package etsy-advocacy was found to contain malicious code. Source: ghsa-malware ecd69e1f886e5959e3de00ca5b1235a1c05bef9098aab53be35030cb7b8e007b...

Malicious code in trade-in-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 282ed834f41ff1362de41082e4502858b54128699bb58026d73f704aafa71035 The package trade-in-lib was found to contain malicious code. Source: ghsa-malware 927f61fc76a553ba10121fbae7bc4961b0d67d52ab41498d9b0b232a4c2362f7 A...

Malicious code in pinlogger (npm)

The package is a malware due to system info exfiltration via DNS/HTTPS to OAST domains and arbitrary code execution during preinstall. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e78bb72f47ecca78511d87a17bea5f38fb4897dbc117433dfd7667cd97a51d0 The package...

Malicious code in unisys-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89bc257f69dca8cec54b15b47533c97f9b6b47f16aae5f2dc868ff7faaf0c93b The package unisys-auth was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in api-feature (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c86a3079da8157aef32d5d4c4f2420239981a142fc1150eb0ac2e695be2779e9 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Malicious code in ixosmonitoring (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 cfca4d7a38a0805f56b3bddcef1b421a8584a4d52df7a1a22676369679347bf5 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in python-aickerso (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d1d7d33d48c083d0e17d3a3698d815f66dffb070f743e030278059a558c5e6fd Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in @b2b-portal/form (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7bfd3d2bf611173cd9899eb7ae28620ce52dd78812b47d5f9ca1fc68555c5b70 The package @b2b-portal/form was found to contain malicious code. Source: ghsa-malware 01b5517a25cba37fda750436dbbba1fe86b2c36fb7eafbbb0b49cf17d95e5a...

Malicious code in ttam (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2925c78ff71ef8aee744b1b6b4fa9b5cef3b6ae018447d29ba5e63fe43ad01c1 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

Malicious code in sentinel-tool (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5a2ff07802c4546c40d47d3780971506115297a1e8c177be36ad1e003dd62937 The package installs a remote executable that uses a hardcoded Telegram channel for monitoring the user's activity, including regularly taking screenshots, and...

Malicious code in @fairwords/loopback-connector-es (npm)

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+...

Malicious code in commerce-utils (npm)

Malicious package due to data exfiltration to a suspicious host, combined with arbitrary code execution during preinstall. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3bb3d6d3a8a8898abe7e371e54753d5902a5062151888ccff6c656f5edac6ba6 The package commerce-utils...

Malicious code in cloudera (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11ddf3c5a1eb28ca1531748670bd932bda38d78b04ae81c983361465a2076f57 The package cloudera was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in cloudera-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24e0a829db4a908047174ccb540d590c9df780c994d9ecc1b1705247f89612de The package cloudera-poc was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in databasetapes (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d859d21aa59dfad2efc5c2f98253cd1cc808621fb3b7525037c104324e27dfe8 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Malicious code in @not-nemo/crypto-tracker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f3d07c3fa41dbb4ad057bb2b346b271dcbef43545376e8a8ad252d64abd7e25 The package @not-nemo/crypto-tracker was found to contain malicious code. Source: ghsa-malware...

Malicious code in photo-extractor (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 67f3f604528f125e85fb7be00bb17d7cf2abc5cdb20a12cbcbb38633f5877f14 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

Malicious code in gangomodule (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8117683c90fb188f9fc013b3b3006dc5e31269d2511dd7c80eea9ac7b6892d09 During installation, obfuscated code validates the environment against typical sandboxing signs and attempts to download the next stages from remote sources. T...

Malicious code in strapi-plugin-debug-tools (npm)

strapi-plugin-debug-tools is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...

Malicious code in strapi-plugin-nordica-sync (npm)

strapi-plugin-nordica-sync is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...

Malicious code in strapi-plugin-locale (npm)

strapi-plugin-locale is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...

Malicious code in @corpweb-ui/wmkt-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dfd12ddf708e12b032513bcf667e459df772f642106507d1798d95ee81f6cbe2 index.js uses childprocess to execute whoami and gather hostname information, then transmits results via https.get to api.telegram.org/bot — a...

Malicious code in nwin64tls (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 72555231efbf126e61cb3aa59d3482bc7967af46898e46eb2b9b7f81af8cd40e Importing the module starts a loop that listens to key strokes and on every capslock press exfiltrates screenshot to a hardcoded location. --- Category:...

Malicious code in nwin32tls (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a47778618cad57dbc584afdff7ed138032b69c423a9812e1bc8f86c13129f01d Importing the module starts a loop that listens to key strokes and on every capslock press exfiltrates screenshot to a hardcoded location. --- Category:...

Malicious code in 4exepreds (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 713fcab117c3d896c25c79498daded14d2b7d69baecb99c233703f421caaca26 The package 4exepreds was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in experedzss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f70a37180c88f0ddd0cc94346d4bb7703667321771ecc6de6c9c74f03a77f464 The package experedzss was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in kube-health-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4d36d5ed9b1bc15c12e89f48c1228a4f6e3aebe558a67d535655e280b25b4440 During import, the code download and starts remote executable that later connects to a C2 server, likely establishing a reverse tunnel. After executing the...

Malicious code in jellyfi-pino-pretty-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d1230eb2336763c228ba6ac98d349f8cc64a1ae28755d8da374f336e77aa928 The package jellyfi-pino-pretty-logger was found to contain malicious code. Source: ghsa-malware...

Malicious code in jonas-prettier-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 28f4e8e2d6e083733be2f7a98647f2a7267b3be203837f3081b4884ef3b926a0 The package jonas-prettier-logger was found to contain malicious code. Source: ghsa-malware...

Malicious code in openai-async-helpers (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7619c9858e5326f4842462084bc313409a364f2b5c9aa004103c7d33a97c3545 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in latinum-wallet-mcp (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 afbe7d2a026f5fb11d3046e061ded50c350b420b146cd446fc0e009cb7190543 Starting version 0.0.32, the code automatically exfiltrates the private key together with other metrics during the buildmcpwalletserver call for the Solana...

Malicious code in tailwindcss-typeface-inter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3a4cecee37faea4489bd810f6d044cde9205a74e0c225bef7b07cbbe207eb88 The package tailwindcss-typeface-inter was found to contain malicious code. Source: ghsa-malware...

Malicious code in lakeflow-community-connectors (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 931d6183e0dc407fb2c14769dcebb7d1845f4af9ca0b26766d75d783b5611165 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in loas (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0177c14c2fb08f69729838152272244428733a8e3682c3cbdc6780ea2fab6e38 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in hiveos-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6d040e58dddde324da836a19a41eb5c65698ef869ed3e534f662136f1fb48440 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

Malicious code in bos-decoration-elements (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cb5985779c5099333bec5b084b209c36dea0dd9fa47ef2c2d7c3630c33daaa5 The package bos-decoration-elements was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in f0-state-manager (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 989b5f62777b6b7fbd236eb28a54b0e42ba48548dc0a49919c5f311c1f1c7072 The package f0-state-manager was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in aiogram-photo-updater (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 62ec906fc563c8e7b6c22bb0dae1e739e6c3d8e24091105a8eafb292dae2f661 When run, the package exfiltrates files from a cryptowallet and modifies its executable placing an implant exfiltrating passphrase later. --- Category: MALICIO...

Malicious code in copytrading (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 00e18dbfb3978939790912c09da21fd43b670c4017c160002bb5fc534164e577 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

Malicious code in monolith-twirp-pullsd-teams (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis b0a21f2e863ad85bc56da074019b5369ed68dc7280d0c81ff65dd8425308c7f6 The OpenSSF Package Analysis project identified 'monolith-twirp-pullsd-teams' @ 1.1.1 rubygems as malicious. It is considered malicious because:...

Malicious code in @ev-tech/eva-container-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 000e7dc4c22d822e052329e85f5a615743547eaafc111f35576b780059ca2afb The package @ev-tech/eva-container-api was found to contain malicious code. Source: ghsa-malware...

Malicious code in lightmock (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a3c7924362f935b55a808e1ede8ffea2dbc96326b853dc00d7ede36c002ff63c Clone of a legitimate package. During import, heavily obfuscate code downloads next stages and finally exfiltrates sensitive data, including data from web...

Malicious code in @zecho/baileys-mod (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e4d4b2c49e19b5e36babb83f8095290c3bd09ad9fb4065ccf3769bb9be4c53d The package @zecho/baileys-mod was found to contain malicious code. Source: ghsa-malware...