226591 matches found
Malicious code in blinkit-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ca70b0a6be36daf245deb50dd6b3595a9bfba29c62770e82365152a02832cf8 On npm install, the package's preinstall lifecycle hook runs curl against http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/ and POSTs the installer...
Malicious code in zomato-sushi (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c package.json declares a preinstall script that runs curl with form-encoded fields carrying the installer's hostname hostname -f, whoami, current...
Malicious code in zomato-logger (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3dccb8b8b32337c2a257a763c273e03367ec07c904b5db0c07dbf514d546709d On npm install, the package's preinstall lifecycle script in package.json runs curl to POST the installer's hostname, current user whoami, working...
Malicious code in zomato-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0a12373009dd17131e45f4d20570904f2b8074367ee8b121e60a3ce5764fa00 The package's package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami, current working directory, a...
Malicious code in zomato-config (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a1b48a397992964f8f3982dc69a33431bfb26c911c29a1e5d124581cef46a40 Dependency-confusion package targeting an internal Zomato namespace. The package ships only a stub index.js module.exports = name: 'zomato-config',...
Malicious code in jsonschema-viewer (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3692022b4caf5ac51d868aaae58e793520ac3bd36703841eb615942baf85bb87 The package's only function — main in src/jsonschemaviewer/main.py, registered as the jsonschema-viewer console script — invokes os.system to fetch a...
Malicious code in requests-enhancer (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0f61f1a905e0ec1bb593f7b20d4f9a8a9e72deeb16440f72acbcaf00aeab1cd On import requestsenhancer, the package's init.py spawns a daemon thread that runs pip install...
Malicious code in sf-storybook (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a5a1a34bbf1dc84732509c5c5bfbd65adcd442b2665367d0c1bd39dc8301001c On require'sf-storybook', index.js shells out via childprocess to run cat /etc/passwd ./passwd.txt and then POSTs the file contents via curl to...
Malicious code in d0rk3r (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 d0d4cf20ac250e3d7a23666cf8bc3ae722d555b982649dad3f615d9c7c8818d9 The package declares malicious dependencies. Their activity is however not triggered as since version 1.0.4, the packages releases lack any source code...
Malicious code in d0rk3r-telemetry (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da4542d225ef144ecc5df2f578104ffc12659196c57b2214ecb54f60620601c6 On import d0rk3rtelemetry, the package spawns a background thread that reads installer-owned secrets and POSTs them to an attacker-controlled endpoin...
Malicious code in request-cache-py (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eafb96e46544cb1351d26caf52bff79055bc205a1f8454737b677fff8fbc6fea request-cache-py impersonates the legitimate requests-cache HTTP caching library. On import requestcachepy, the package's init.py starts a background...
Malicious code in free-anthropic-claude (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11bfe96b56a6615a50639b25de793e14044ea393c2029b26fa4e1b9e3dc5a22f This package impersonates the Anthropic Claude SDK name and description claim to be an 'Official Anthropic Claude SDK wrapper', author is...
Malicious code in atlasora-config (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092 The package declares a postinstall hook in package.json "postinstall": "node install.js" that auto-executes install.js on every npm install. install....
Malicious code in atlasora-shared (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1bd49976f774ef8357d29c74bc366b851e69a611cc5894f1a59621d91f9daba package.json declares "postinstall": "node install.js", causing install.js to run automatically on npm install. install.js requires https, fs, os, an...
Malicious code in atlasora-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92 Package declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js imports https, fs,...
Malicious code in atlasora-types (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7af2118f668c8e39caf15aeb52d365083d5bc6b9c1ae4d9ff6d007d348ba8b9e On npm install, the package runs install.js via the postinstall lifecycle hook. The script harvests installer-side secrets and POSTs them as JSON to ...
Malicious code in atlasora-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cc75492c0a0ce4090918bfdef0cea9cc028ef4c8273283d32085189e13a59c51 Package ships a postinstall hook package.json scripts.postinstall: node install.js that runs automatically on every npm install. install.js reads...
Malicious code in atlasora-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf7c54cd0923afe13aadf778a5c213363c521e7a50c4b9e235bf6c7cf58a973d On npm install, the package's postinstall hook node install.js, declared in package.json harvests secrets from the installer's machine and POSTs them...
Malicious code in atlasora-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd4392d81da887d2d7da24519df3a7d9341ee45e1fc091a724c4f5ede766ae5 package.json declares "postinstall": "node install.js", which runs automatically on npm install. install.js requires https, fs, os, and childprocess;...
Malicious code in @withgoogle/stitch-sdk (npm)
@withgoogle/stitch-sdk is a scope-squatting package on npm that impersonates Google's Stitch AI design tool SDK. The attacker registered the @withgoogle scope to mimic Google's withgoogle.com domain and published versions 0.1.1 and 0.1.2 under the account maximus-mcmillan on June 19, 2026. The...
Malicious code in query-profile (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 9a60c7fce9ec29fa327128c80bca74a51b9f1965c50c6dc9286016fa31001bf1 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in yian666aikf (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f96776bdaabacae768376d5c1ff3543f77d94b41298d3d01365032817c3cd53e [email protected] advertises itself as a lightweight string-manipulation utility library, but its only on-install effect is to launch a reverse shell...
Malicious code in yianzzkf6687 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a59a0aee58573b3030b9d541980fa9d7df8ea55d4e6cc5b3bb349452b908d0e9 On npm install, the postinstall hook scripts/postinstall.js detach-spawns scripts/shell.js with detached: true, stdio: 'ignore', windowsHide: true an...
Malicious code in fluent-dashboard-panel-metrics (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153 fluentpanelmetrics/init.py defines an undocumented function bootstrapruntimeprofile and invokes it unconditionally at module top level. The function...
Malicious code in improvado-layout-panel-metrics (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 61cc6b0b5d5efe4675f4159e8bc8f6380970614c1dc36b553207fa73fa66104e The package's top-level fluentpanelmetrics/init.py defines bootstrapruntimeprofile and unconditionally invokes it at import. The function opens a TCP...
Malicious code in django-auth-middleware-plus (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec On import, djangoauthmiddlewareplus/init.py spawns a daemon thread that POSTs a JSON payload containing the host's hostname, username, cwd, environme...
Malicious code in free-claude (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e5cf1276f4faf6de26e95f05cc2bb95d90c71473c20e9542c9e88c2d949dfb9 Package name 'free-claude' and author 'anthropic-claude' impersonate Anthropic's Claude product, with a README claiming to install the official Claud...
Malicious code in base_parts_ai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07b0e2bcf47f6720470181fe18dda70621d52a4fb65fec395a87e14ec39c5219 When a user runs the package's jcc or jcx CLI, lib/aiutils.js polls https://jai.jaskle.cn/hm/hmpub/aicccfg for a newVer value and, if it differs from...
Malicious code in routecraft (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0 [email protected] ships verbatim Express.js source lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js —...
Malicious code in aikaf668897 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293 On npm install, the package's postinstall hook node scripts/postinstall.js spawns a detached background Node process running scripts/shell.js with...
Malicious code in aikaf6688812 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7 package.json declares a postinstall hook that runs scripts/postinstall.js, which spawns scripts/shell.js as a detached, stdio-ignored background...
Malicious code in aikaf788812 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2 Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a...
Malicious code in create-mono-package (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85402ef2db7bfd9e2bb01034a533e52649cf6058cc1e824e9c273aee5ae8121d The package's postinstall hook .prepare.cjs collects host fingerprint data os.hostname, os.userInfo.username, platform/arch, all non-internal network...
Malicious code in @chunklab/hexparse (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013 Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function encodeHex, decodeHex,...
Malicious code in @bytemend/mfebus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4 The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly requires dist/bootstrap.js, a 277KB...
Malicious code in @briskforge/envcheck (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09dba573f5d6cb00b09562870f2148b3e539786f5d801f2a263338301d759313 The package advertises itself as a tiny environment-variable validator but ships lib/preflight.js, a heavily obfuscated obfuscator.io string-array...
Malicious code in @apexcraft/nano-key (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c46938b3634fb4de89ddf44b765e1c766c871a40fb31c54609c1b3526074e65c @apexcraft/nano-key advertises itself as a 12-byte sortable ID generator README and repository metadata are copied from yiwen-ai/xid-ts, an unrelated...
Malicious code in @apiwizards/auth-middleware (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 718ca10ce0670edf6756b4ff0bd05e43526ebd516396a34074acf844116e7254 @apiwizards/[email protected] ships a single heavily obfuscated index.js obfuscator.io string-array with 317 entries, RC4+base64 decoder,...
Malicious code in @antoncarlos1/nodelamp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d930df8b6392b3bbfe3b591d90226374d31fb246e06018521f3f673a815b618a @antoncarlos1/[email protected] ships a single obfuscated index.js that runs a dropper on require. The top-level IIFE constructs a hardcoded IPv4 URL by...
Malicious code in chai-assert-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72 Package name and metadata impersonate the 'chai' assertion library reuses chai's contributors, description, and a 'chaiassert.com' homepage, but the...
Malicious code in chai-as-attested (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88e27467366a90f482eb47476458b1f74d5a41ac63371572e527f2e60e4e0b51 Package impersonates a pino-style logger exports module.exports.pino, ships pino-like DEFAULTLEVELS, keywords fast/logger/stream/json but the exporte...
Malicious code in chai-as-uphelded (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa7f5470790594e55393048fee0e7a9e6e6650776a06717258e410292d4dc8a9 Package name impersonates the popular chai-as-promised library, but its package.json description and keywords masquerade as a pino-style logger and a...
Malicious code in new-mjs-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...
Malicious code in mjs-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6 The package is published as 'mjs-eslint' but its description, file layout big.js, big.mjs, and source are a verbatim copy of the legitimate big.js...
Malicious code in new-eslint-1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38 Package is published as 'new-eslint-1' but its package.json description, README, repository URL MikeMcl/big.js, and source are a verbatim copy of...
Malicious code in new-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25 Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in...
Malicious code in new-ts-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3721ae4cecdfa22793382d07d28a25ba5fabd54ac405cb94e642a1f96faee80 index.js imports childprocess and at lines 101 and 117 invokes execSync to run bash and zsh commands. Lines 9, 194, and 195 use Buffer.from...,...
Malicious code in chai-as-forgeted (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020 Package name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the...
Malicious code in fastercoding (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c302e448868fcff3110a45d20b53d9d887cfb5aa31bb66df90702f2767246b4 The package exposes a single public function run re-exported from init.py which, on Windows, downloads BackgroundSyncService.exe from...
Malicious code in fastercode (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14de4534d4cf2290f5f54bc5929fa799b73dff2e6a03aa879ade141dfc6ea054 The package advertises itself as a Python performance helper "Make your Python code run faster" and exposes a single public function run. On Windows,...