Malicious code in weavedb-console (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9cb1233d729c7aefcbe9024196bb4af52f78854aa5ed7f46afb4fa9cd59918c1 package.json declares "preinstall": "./src/compiler/native", which auto-executes a 976 KB stripped Linux ELF binary on every npm install. The binary ...

Malicious code in weavedb-sdk-base (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 40b4b0c5f79c0370a77c3b559b70389ffee591aa22c76ca15c4077fe95b5078e package.json declares "preinstall": "./bin/install-deps", pointing at a 976KB packed Linux x86-64 ELF binary shipped in the tarball sha256...

Malicious code in weavedb-exm-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec package.json declares "preinstall": "./vendor/setup", causing every npm install weavedb-exm-sdk to execute vendor/setup — a 976,568-byte Linux x86 EL...

Malicious code in arnext-arkb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0 package.json declares "preinstall": "./bin/install-deps", which points at a 976,568-byte Linux x86-64 ELF executable shipped in the tarball with no...

Malicious code in create-arnext-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667 The package declares "preinstall": "./.github/scripts/precheck" in package.json, which invokes a 976KB stripped Linux x8664 ELF binary hidden under...

Malicious code in roidjs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46b2c3afc1b9dd20ecad5f3b47c333e8324500e3d0102df362aa7c11a60469a0 package.json declares "preinstall": "./bin/install-deps", which causes npm install roidjs to auto-execute bin/install-deps — a 976,568-byte Linux x86...

Malicious code in test-weavedb-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d Package name impersonates the legitimate weavedb-sdk; lib/index.js is a near-verbatim copy of that SDK's Arweave/Warp/EthCrypto class so the package...

Malicious code in arnext (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f package.json declares "preinstall": "./vendor/setup", which runs a 976,568-byte Linux ELF binary on every npm install. The package's stated purpose i...

Malicious code in weavedb-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 469844df44557b10f865edf7d3d000fd90c901c6a42cc5402116247dca1528f0 package.json declares "preinstall": "./scripts/postbuild". The referenced file is not a script but a 976,568-byte UPX-packed Linux x86-64 ELF binary...

Malicious code in atomic-notes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81 package.json declares preinstall:./.github/scripts/precheck, which executes a 976 KB stripped, UPX-packed Linux x8664 ELF shipped at...

Malicious code in weavedb-offchain (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d267c34e35dca7091a9ab01d22a9c0a4cfde364531b8017f15f4a09785381198 package.json declares scripts.preinstall: "./.github/scripts/precheck", where precheck is a 976,568-byte stripped Linux ELF binary sha256...

Malicious code in ai3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83540d952123c5d1199bbec1a72d0c4c49c428f309b9d68df45e307b852000a7 package.json declares "preinstall": "./.github/scripts/precheck", which points at a 976,568-byte precompiled Linux ELF x86-64 binary shipped inside t...

Malicious code in cwao-units (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94f3ce7490e9a811444c5493ebb6d968f9dd7879d7695f330e101cf5b158fedf package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976,568-byte Linux x86-64 ELF binary shipped in the tarball...

Malicious code in weavedb-exm-sdk-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89 package.json declares "preinstall": "./bin/install-deps", which runs a 976KB UPX-packed Linux x86 ELF binary on every npm install. The package...

Malicious code in weavedb-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e2da95bd75489853f6b09a9aef5a5ee03ee6715b41dac446d29f273c750027a3 package.json declares "preinstall": "./dist/runtime.node", which directly executes a 976KB Linux ELF binary at every npm install. The .node extension...

Malicious code in fpjson-lang (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 38aca097f261c15ef9901f259883679e2d4308d6e4053099643c8befe9a14318 package.json declares "preinstall": "./bin/install-deps", causing npm to execute a 954KB packed Linux ELF binary on every install. The package...

Malicious code in wdb-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 05323f987b64131618be124040867a2acb216aef96952a6a3dfc11c615501500 package.json declares "preinstall": "./dist/runtime.node", causing npm to spawn the shipped file as an executable on every install on Linux. Despite...

Malicious code in monade (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 32631bc0128011d7e526d2665460d2e4562c2d50602e38218e2ad3078635726a [email protected] advertises itself as a JavaScript monad/flow utility library cjs/index.js exports flow, of, opt, ka, dev, yet ships a 976KB UPX-packed...

Malicious code in wdb-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee package.json declares "preinstall": "./vendor/setup", which on every npm install invokes a 976568-byte Linux x86 ELF binary shipped inside the packag...

Malicious code in cwao-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 821b56cf14d7125df010804baf204325703e58d8f238fc0f219bf82652d99f31 package.json declares "preinstall": "./scripts/postbuild", and scripts/postbuild is a 976,568-byte stripped Linux x86 ELF sha256 36abd242…. The packa...

Malicious code in warp-contracts-plugin-deploy-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444 Package name warp-contracts-plugin-deploy-test mimics the legitimate warp-contracts-plugin-deploy and copies its public API surface lib/cjs/index.js...

Malicious code in testnpmnmp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e82942b1fcdaed1a1085ad9590ef93704e276c5c5ca1622884abac014f03980f package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976,568-byte unsigned, unhashed, unversioned Linux ELF...

Malicious code in cwao (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f48b0fefe9d99bcebeaa878f5bb2ca40df917b40785d6b5b8a31cf6e70a44970 package.json declares "preinstall": "./vendor/setup", which directly executes a 976,568-byte packed Linux x86 ELF binary shipped in the tarball. The...

Malicious code in test-ajs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 851b521e3dde5ea11478cd37cc4bf8da2f0a0ca1864d6c39fa27fd02ef0f9308 test-ajs advertises a 2KB React/Recoil helper dist/cjs/index.js, 2169 bytes, exporting Roid/inject glue over react+recoil but ships a 976KB Linux ELF...

Malicious code in zkjson (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816 package.json declares "preinstall": "./.github/scripts/precheck", pointing to a 976 KB Linux ELF executable sha256...

Malicious code in aonote (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df30872a579b6ce2419993ff9bad621f42347097dd43551a26583223e6a98a7b package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976KB UPX-packed Linux x86-64 ELF sha256 36abd242... shipped ...

Malicious code in weavedb-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403 package.json declares "preinstall": "./tools/setup", where tools/setup is a 976KB stripped Linux x86-64 ELF binary sha256...

Malicious code in weavedb-base (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 886f22636b5e4726978e23b10a4311fb7e65c2b10003da72429348fa617884d1 package.json declares "preinstall": "./vendor/setup", which runs a 976KB packed Linux x86 ELF binary sha256...

Malicious code in weavedb-node-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d174728fc7469b023ece1980797185c35abd74c56e253bc1dc1b295a46a1dbd2 package.json declares "preinstall": "./tools/setup", unconditionally executing a 976KB UPX-packed, stripped Linux x86 ELF on every npm install. The...

Malicious code in weavedb-sdk-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59e557cd0501bb17925a19c5d3525fdf18f286b21750a44c0164eb7e165f55d9 package.json declares "preinstall": "./dist/runtime.node", causing npm to execute a 976 KB packed binary on every install. The file uses the .node...

Malicious code in @taskd/maritime-email-processor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150 The package's sole exported function emailProcessor in dist/index.mjs POSTs to a hardcoded endpoint https://job-api.alex-c92.workers.dev, sending the...

Malicious code in fe-utils-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6181b15ad071542a35154cffc71bc4771db039f548eabfe4100271000e4e3116 The package's default-exported getPlugin function fetches https://svganchordev.net/icons/110 and passes the response's data.credits field to new...

Malicious code in xct-x-ayoub (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d33575d7ebb1fa670ce8a2f633471492b04319daffe0f1e10dd35841cf2709af On import XcTxAyOuB, the package's top-level init.py unconditionally starts a Flask HTTP server bound to 0.0.0.0:5000 configurable via PORT exposing...

Malicious code in bandkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 687dcebaf30461a2325de226851b84abfb6db6359a12c9392ece9c5ff02a620d bandkit ships a React component BandPanel that, when rendered without an explicit strategyWalletAddress prop — the configuration shown in the package...

Malicious code in edison-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c151a181047e12f1de0e91b1923861446b04558028d518e30df1767ccc85def7 At pip install time, setup.py reads the EDISONQUERY environment variable from the installer's environment and POSTs it to...

Malicious code in xarc-webpack-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b29d869051afe04db57e24dad1092c70992f83465d60989f5120e17d7fa20310 The package ships a preinstall hook node poc.js || true that runs on every npm install. poc.js collects host fingerprint data hostname, username,...

Malicious code in json-to-simple-graphql-schema (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9998f4fd6abaaefcf6bd610ce0b558f0e1eb22c9d4dae07a111c27cc7f7322c The package contains a poc.js script that collects host reconnaissance data os.hostname, os.platform, output of whoami via childprocess and POSTs it ...

Malicious code in etherproxy-lite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5756836b470f645f316696cbaedb1aedc21cde7fc921714bfbf70f2d528ad5b4 The bundled dist/index.js reads process.env values and posts data to https://api.telegram.org via a hardcoded fetch call line 97, with additional...

Malicious code in @izumiswap/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63bd0a7aaa4ac18d8ae0c57c07bec05cb4f69e8650e77c117d11c048e5cec004 On npm install, scripts/postinstall.js runs as the preinstall/postinstall lifecycle hook and performs an unambiguous install-time RCE. It first...

Malicious code in spip-pth-demo (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bb61035c28fe642903fac1b2776b2593c1611831ce5553e63ef8b09a77e414c9 The package installs a suspicious-demo.pth file into site-packages via setup.py's datafiles="", "suspicious-demo.pth". Python auto-processes.pth file...

Malicious code in motion-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f13ebafd858996faf32f6987cd969b933bf5c31c7ac329cf55f160bb6bbf6007 This package masquerades as the pino logger README copied from pino, exports module.exports.pino = middleware but its middleware does no logging. Whe...

Malicious code in happy-dlscord.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d183bf51c0f2be0102a7a7aeeda661f895e3b075f183d76d5f0f77c09c70860 The package name 'happy-dlscord.js' is a one-character edit of the top-tier npm package 'discord.js' and ships a near-verbatim fork of the upstream...

Malicious code in skills-detector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 844190b21455d308d6e2b5305ebe92634d80b55817290a84644a1048df0e54b3 On npm install, postinstall.js executes whoami and id via childprocess.execSync, collects os.hostname, os.platform, current working directory, and th...

Malicious code in @databus-service-ui/scroll-up-content (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02414b019347c91f59a506d88dffc19306c7c287936df0d42327ad6b32eb0bf2 scripts/postinstall.js performs two independent attacker-benefit actions when npm install runs. First, it scrapes installer-side secrets — environmen...

Malicious code in @databus-service-ui/ui-event (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b82b3af71dce087a185cffa6f3691ad5a4e4c3d9e35154070ef4ad0dd4f15b10 scripts/postinstall.js performs two install-time attacks against any machine that runs npm install. 1 Credential exfiltration: it iterates process.en...

Malicious code in @nolimit-x/win32-x64 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 343787b335da015be56f49d118534c54bf81abab9e53b40bec0114d23bcc95c7 Package ships a single 8.1 MB Windows PE nolimit-core.exe as its main entry with only the description 'nolimit-x native binary for Windows x64' — no...

Malicious code in koishi-plugin-yuan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca3069b86d0de573768e010f6ee414d10454b7aa241d17bfa056ca2d7665e533 koishi-plugin-yuan exposes an HTTP endpoint /api/bind-cookie that accepts Bilibili user cookies including SESSDATA and bilijct and forwards them via...

Malicious code in @service-suppliers/suppliers (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a79ca8ef6257be2fbac9c361b969d9e63ce6a833e42dafa4b558e1f805276502 On npm install, scripts/postinstall.js performs two attacker-benefit actions against the installer. First, it scrapes installer-side credentials: it...

Malicious code in @service-user-notifications/set_notifications_not_removable (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a890f1cd8313de802c1425ca5603b7d1fabaf84cb1e47b582a4633dae34ccf14 On npm install, scripts/postinstall.js fetches a platform-specific binary from https://oob.moika.tech/payload/linux|mac|win, writes it to a hidden te...

Malicious code in @service-suppliers/set_selected_supplier (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eba319282947a6dfb83a31cec6127e62594cc16160bd9c74cee3feee349c4b07 The postinstall hook in scripts/postinstall.js performs two independently-blocking actions on every npm install. First, it scrapes installer-side...