226591 matches found
Malicious code in shoaib-done-pack (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 cb99b328c44c010aba41a43c575c7f0832966f8d368e15d871b012bdcb58313f Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in ts-esys (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3cfd9a57243111f1df0cde9d2fca7698afc995009e1263fc8f1f203d49d53741 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ts-ecro-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 14987516ff6ae873aab004fd8ca5410f176431d60469fb877e32b531dc3c6e53 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in mongoose-jsonify (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5d9b010d0799f79de51f4bdb82f4b06fca470fac0088ecb5744e3ac113afc37c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in assert-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e21fa9c37e9944a00f7e85c7476f8fd4dc6bcd1f8fcd064a90488ef93d5bd12 [email protected] impersonates the chai assertion library bundles chai's source, contributors, and API surface under a different author and homepage...
Malicious code in eth-util (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 25c797954fc796493e459a69efde378ef04874f43e7c5570c12e9b8463688807 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ethereum-gas-reporter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7303c828115a527d477ea14684b3015e43fdcd36a7fa94041c16ccb3c2fbcfcc index.js line 144 contains require'chai-assert-kit' appended after the module's normal exports, with no other reference to chai-assert-kit anywhere i...
Malicious code in build-tracker-n5p1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619 Package name suggests build telemetry tooling, but the tarball ships beacon scripts beacon18.js, beaconlinux.js wired to a postinstall lifecycle hook...
Malicious code in ts-big-ecro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09cc5687efdad86354f994af9fa7d7c28fbc21d7b5b4558870aba1c05dcf425b ts-big-ecro is a verbatim copy of the legitimate big.js library MikeMcl/big.js v7.0.1 with its name, repository field, and copyright preserved to...
Malicious code in new-ecro-1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0c4e172aa83f2b8742fb014ea649490c87815573cab692ea74eb402ee23f935c Package new-ecro-1 impersonates the legitimate big.js library by shipping its source verbatim banner, license, and homepage pointing at MikeMcl/big.j...
Malicious code in new-ecro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7492a140547cea0957bc705d365e19806091462a249c3d5c90b6bfe91e8431c7 Package 'new-ecro' impersonates the legitimate 'big.js' library: it copies big.js's README, source, version banner 'big.js v7.0.1', author email, and...
Malicious code in node-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d71bcdec983467ab6a47b538e524abc1cdafc98b411761bffb375be17d72009 On npm install, package.json's postinstall hook executes node test.js which invokes code in index.js that performs two distinct attacks on the...
Malicious code in ordered-btree (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a7b579313f4d78d1b99c88ed3fc22c295458981099a80f09f8408ca2bbb2ac4 Package impersonates the legitimate sorted-btree library matching name, README, and attributed author and ships a hidden remote-code-execution payloa...
Malicious code in @mep-exp/api-tools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 322089c1a58142401c82621aa778cdb7221086196cce6c879a703625b7013555 preinstall.js, registered as scripts.preinstall and also required from the main module and every bin entry, collects os.hostname, os.userInfo.usernam...
Malicious code in @qlab/component-intelligence (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9ad49caeee790003270d74c5b17a58d0cef6f04d881efe83b0f6c7e11515e934 package.json declares a preinstall hook "preinstall": "node index.js" that fires automatically on npm install. index.js requires os, dns, https,...
Malicious code in nodepathbalance54 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5ade836e7f92049242a01dbc0782900900c4e28eb7e08f9d9ebc611aab80762 nodepathbalance54 exports a single function nodeaxionweb whose implementation is hidden inside a hand-rolled stack-based JavaScript VM in index.js...
Malicious code in conversa-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector baaff1de63d44fd5f6b4fb1c5d3ebb4e9509d7581ff9afa5f339acad8f57aed0 On npm install, postinstall.js unconditionally reads the installer's /.npmrc which typically contains //registry.npmjs.org/:authToken=... along with...
Malicious code in electron-internal-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef On npm install, package.json's postinstall script executes curl http://9ph8dp.ceye.io, an out-of-band DNS/HTTP interaction service controlled by the...
Malicious code in eyee (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 743696e9409c97e89816b050f0346b86446464fdbaeead6ae49ddabf50a082ba On require/run, eyee auto-executes main package.json sets main=cdpinject.js and the bottom of the file invokes main unless --stop/--detach is passed...
Malicious code in portloop (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e745a79c5fb952105d93cc5d5f37bc77af9cc08d9a021f09a12d26416a29de3c On default invocation e.g., npx portloop with no flags, the CLI runs in daemon+quiet+respawn mode and POSTs id, hostname, host, url, port, user to a...
Malicious code in ts-linter-builders (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22153f1e71ba9fb51ce22d5fc57180ce4d8998995fbc4bd554d6dd532c195b6 index.js imports childprocess and contains a hardcoded outbound POST to https://tg-wallet-manager.vercel.app, with additional fetch calls to the same...
Malicious code in eslint-helper-1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfadd6e70cf70ee03d7aae8bfcaa916d29073c5e09ca614bfcb4538c3efc1832 Package masquerades as an ESLint helper but contains code in index.js that decodes base64 blobs through Buffer.from..., 'base64'.toString and pipes t...
Malicious code in mjs-eslint-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3320fa37492448acdf24a86f8a8735a3fc4d3b329ad156e299a8089df39e2f28 The package decodes base64 string literals via Buffer.from..., 'base64'.toString and pipes the resulting content into execSync'bash...' and...
Malicious code in eslint-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5802f88a31cfb1c54196395aa04377de1c98657cdd78f59e4a595f2913239301 Package masquerades as an ESLint utility but contains no lint-related code. The exported fromstr recursively walks process.cwd searching for...
Malicious code in fluent-panel-metrics (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95598f66d3e0a4ecbfe9dcd01c1d5f0be9b78bee23b200758a92dac8f8a00d9e fluentpanelmetrics/init.py defines bootstrapruntimeprofile and invokes it unconditionally at module load. The function opens a TCP socket to the...
Malicious code in node-vfs-polyfill (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fb213e524ed75dcb54961d6d2ee9431ea6a32f4fdcb9d777bc260102920d81b On install, postinstall.js executes automatically and exfiltrates host reconnaissance data to attacker-controlled subdomains on oastify.com Burp...
Malicious code in db-connector-log (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6828cdaf9f4280f7739fd6f5a838a63ea7bc8f7bb0c94eec52fb881c2701c724 The package impersonates the legitimate dx-db-connector the package.json repository field points at...
Malicious code in runtime-query (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95ac68a991ebaacd1aef772aa462ad53510471f9f4439659a6e685e877aa460e On require, index.js lines 70-77 fetches JSON from https://jsonkeeper.com/b/CI3HT, extracts the .cookie field from the response, and passes it to new...
Malicious code in clx-cookie-signature (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3 Package impersonates the popular cookie-signature library copying its README, author field 'TJ Holowaychuk ', and sign/unsign API, but index.js adds ...
Malicious code in @httpactions/strict-uri-encode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b90fd30f5d52b139ea7be77aa1782a5339f39355ec7ad532af2fa7a49616ff88 @httpactions/strict-uri-encode impersonates the popular unscoped npm package 'strict-uri-encode' 30M weekly downloads by republishing the same name...
Malicious code in @httpactions/encode-url (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e52b15ad9413185c30f84ad7e11e031c74c359e04f5c30ce502b8bc73267d8e The package ships a single heavily obfuscated index.js that performs no URL-encoding work despite the package name. On require of the declared main,...
Malicious code in randpicker (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 378d07b700aa25d356594d7b1c42db107def3dbd1cce734e4c1c50b411048eb6 When calling the Email function, the code creates a backdoor script and attempts to achieve persistence. The script connects to a Telegram bot and awaits...
Malicious code in @gbrlxvi/ts-project-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8 The package's main module index.js also loaded indirectly by bin/cli.js reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a...
Malicious code in react-error-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a084c9e71eac856bf1a1fec025773cc561f9f6677c187d60e055b89c73d846b9 Package name and README impersonate the popular react-error-boundary library advertising an ErrorBoundary export, citing bvaughn and kentcdodds.com,...
Malicious code in ratelimitsucks (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f Package is not a library. main points at sw.js, a browser Service Worker that uses importScripts, self.addEventListener'fetch'|'install'|'activate',...
Malicious code in ratelimitsucks6 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0 ratelimitsucks6 is one variant in a numerically-iterated family ratelimitsucks1, ratelimitsucks2,... generated by auto-publish.sh shipped inside the...
Malicious code in abuden221 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90 The tarball is a static-site / web-proxy build index.html, /assets/.js bundles with obfuscated names, a.well-known/discord verification file, brandin...
Malicious code in abuden22 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...
Malicious code in abuden218 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66 Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry importScripts that throws when...
Malicious code in panrouter-admin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 390c706978c9207807a0aeb4b1e3dfc500847828c23f5ffb06a14171ca8e51e6 panrouter-admin ships relayclient.cjs, which connects to a hardcoded WebSocket endpoint at wss://jiuling.xyz/ws, registers the host with an identity ...
Malicious code in panrouter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53 panrouter is advertised as a 'Claude Code router' but on default invocation panrouter with no arguments it a installs and rewrites the user's Claude...
Malicious code in @onum-releases/utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 887866a4734ebf64a639f9d2512cd400085469ec7fa06aba5f1bbe340b2688b8 On require'@onum-releases/utils', index.js reads os.hostname and issues an HTTP GET to 'utils..200majoeu01dk02xnjdajro1isojc90y.oastify.com', leaking...
Malicious code in @onum-releases/shared-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74 On require/import, index.js reads os.hostname and issues an HTTP GET to...
Malicious code in @onum-releases/ixel (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599 On import, index.js reads os.hostname and issues an HTTPS GET to ixel..200majoeu01dk02xnjdajro1isojc90y.oastify.com/ixel oastify.com is Burp Suite's...
Malicious code in @onum-releases/sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cae207a349e4bda9359f4981d60ec81d9492cd8624535ee01b44c8f3bf3b3208 On import, index.js reads the installer's machine hostname via os.hostname, embeds it as a subdomain of a hardcoded .oastify.com Burp Collaborator...
Malicious code in @onum-releases/auth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22d4bde1772d506f812e112fb8d6bfbf6a6f187dd823640f2cf15811f0d0633a On require'@onum-releases/auth', index.js reads os.hostname and issues an HTTP GET to auth..200majoeu01dk02xnjdajro1isojc90y.oastify.com, transmittin...
Malicious code in @onum-releases/api-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07908d7f0abe458955357ed6814b46c090c70e1b3d34be4dd1a5c02d2507127d On require, index.js reads os.hostname, embeds it as a subdomain label under a Burp Collaborator oastify.com host, and issues an https.get to that ho...
Malicious code in @caspianph/storyteller (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a The package ships setup.cjs containing heavily obfuscated JavaScript with hex-mangled identifiers 0x32549a, 0x4b2b44, 0x78c349, 0x119ac2 typical of...
Malicious code in computerrock-babel-preset-react-app (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8987a1638ceebfb3dc8c8fc29e8e696fa15c6fe667697dfc367f59bf56b14cfa The package impersonates the well-known babel-preset-react-app under a fake org-style prefix and ships no Babel preset code. package.json declares...
Malicious code in metavu (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525 package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname, platform, architecture, home...