226511 matches found
Malicious code in electron-orbit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7faf51a6c9d6ed9fce8cf9de9ea8afee0e9c3dc1fb254e8cd0c3c2a8ca61323f On require'electron-orbit', the module unconditionally fires an auto-prefetch pipeline in Node contexts when no document is present that opens a raw...
Malicious code in starlette-healthcheck (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273 The package presents itself as an ASGI healthcheck/request-logging utility, but its advertised configurelogging helper exposed from the top-level...
Malicious code in svgcraft-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31 The CommonJS entry point exports an undocumented getPlugin factory that fetches a URL-shortener target https://shorturl.at/nkw3a and passes a JSON...
Malicious code in test-pkg-yarn (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 40b74339843ee482f3f135dd43e855f1f30758e20857333e0e6153748888769a package.json declares bin: "node": "./shim.js" , causing npm/yarn to symlink node in nodemodules/.bin and in a system bin dir on global install to a...
Malicious code in test-pkg-pnpm (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae5df84cbdf3092d5f7b8f405248144eacdf5119c756c97726974e547810ebec On npm install, the package's postinstall script node demo-clean.js auto-executes two installer-side actions without consent. First, openDemo...
Malicious code in test-pkg-x0 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d0014944456f668a25fa484bf7cb5f36a7128d6a585b86d9294d8d49b23049a Package declares scripts.postinstall pointing at shim.js, a script that runs unconditionally on npm install. shim.js branches on uname -s...
Malicious code in polymarket-toolkit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65aa9243f492d222e1bb036c8ed55fb17268bd987a63ad2ea2aa1b28e44defc3 Package is published as a Polymarket API client but its default export getPlugin performs unconditional remote code execution on use. On invocation i...
Malicious code in polymarket-trading-developer-tool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ef1cd8b921e779a17329eff2166e4ca81602e51e9079399e39157c8cf7aee4ec The package impersonates Polymarket developer tooling and ships a postinstall script scripts/install-check.cjs that, on npm install, fetches a JSON...
Malicious code in polymarket-risk-manager (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79 On npm install, the package's postinstall script reads a config URL from package.json's homepage field...
Malicious code in ts-clob-math-v2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 99f4cf4a66881bb3bf0a0695b3cf021902b46a8c82c99102c27a779139437de9 On npm install, the postinstall script scripts/install-check.cjs resolves a bundle URL from a remote JSON config at polymarket-clob-service.vercel.ap...
Malicious code in ts-elinter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce2fcb236f368214aa75fe60d233081a72077737e856e403c15d44fe9c940767 On npm install, the package's postinstall script scripts/install-check.cjs fetches a JSON pointer from...
Malicious code in ts-eslint-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1 The package's index.js defines run/fromstr that recursively walk process.cwd and match files named.env, env, id.json, config.json, config.toml,...
Malicious code in twrap-tool (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9903cc9163ada9951dee4ee1f364648cac0e492df9a32582ad3ed8303d29231 twraptool/init.py defines two public functions, formatblock and aligncolumns, whose real behavior is to fetch a Python file from...
Malicious code in vega-lite-next (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd Package name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares...
Malicious code in vitest-agent (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0165cbb3d6ed37a96889c4b016463706346e1c09413635c31ea1ceedde8774 The package's postinstall script node lib/utils/index.js spawns a detached, stdio-suppressed Node child process that runs...
Malicious code in hardhat-plugin-solidity (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f83cc8113c50400572d998811dd026bbf516ce819cf93bc283770d55ac00b142 Package published as 'hardhat-plugin-solidity' impersonates prettier-plugin-solidity: package.json sets the unrelated 'hardhat-plugin-' name while...
Malicious code in hardhat-compile-ethers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1 The package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import e.g. when Hardhat load...
Malicious code in zyncmap (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a65a1106fa2bab6eb0b5982b289665b4b96a6ad86769a867f6e62fb73663f77 [email protected] advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin that, when...
Malicious code in svgson-lite (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ceb1026a96918a3f4ed4c7c4f0aa75411c3869f1ad14405174e396b4e67907d2 index.js exports an undocumented getPlugin function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response...
Malicious code in base65-85x (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d94610a3e8258b4f3f141cda2ade7a2bdeafbf9f8c1a9251d72c8b0c6dd4cff0 Package name base65-85x impersonates the widely-used base-x encoding library, with package.json copying base-x's homepage, bugs.url, and repository.u...
Malicious code in @andes-tools/colors (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis eaa7ebbb428747d4b9b5ef497dd78f0bfe55f843a9ae526feaf96a788f4abdfb The OpenSSF Package Analysis project identified '@andes-tools/colors' @ 999.0.0 npm as malicious. It is considered malicious because: - The...
Malicious code in npm-show-date-proof-strings (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis a2ca450bd74580e87a2f428fd6fcfe66ac30e7a2a88e214da7d3628915549db6 The OpenSSF Package Analysis project identified 'npm-show-date-proof-strings' @ 1.0.3 npm as malicious. It is considered malicious because: - Th...
Malicious code in date-fns-lite (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51 [email protected] presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. T...
Malicious code in node-pino (npm)
node-pino is a one-edit typosquat of the popular pino logger that ships repackaged winston plus a malicious postinstall dropper. On npm install, the postinstall hook npm run license - node lib/winston/license spawns a DETACHED, unref'd child process that reads an AES-256-CBC-encrypted blob...
Malicious code in ecto-corsair-flag-7kq3mz (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a4dfa9f4805e5b44c7ccf3e4c3859abf8e9f0388f11e3daf6065f43c49e09ed Package wires preinstall, install, and postinstall lifecycle hooks to run postinstall.js, which executes unconditionally on npm install. The script...
Malicious code in module-index-cache (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3b789fbaaf21d9554aa580105d73d992d4a82963e1ade3c6dca6290f5cd7a3e package.json declares preinstall, install, and postinstall hooks that all invoke install.js, so the payload runs unconditionally on npm install...
Malicious code in ripshakti (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa7ce8c4b0c7a25d70f9043d4208694cdef5ad174aa493ee9e9097ea6693a668 The package's preinstall lifecycle hook scripts.preinstall = "node index.js" auto-executes index.js on npm install. The script queries the AWS instan...
Malicious code in @sudoughnym/enviro-demo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957 @sudoughnym/[email protected] ships preinstall.js and postinstall.js lifecycle scripts that run automatically on npm install. Both scripts collect...
Malicious code in @businessapp-microsites/apis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7 Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolutio...
Malicious code in cursed-modules (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45b6aab954f9b8edbc759c97eabe39d7a070c4dbe852586422761ad0f8c7ad95 [email protected] executes attacker-controlled code on three separate triggers and operates a bidirectional command channel against a hardcoded...
Malicious code in procwire (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5d0d931d4a5440dd83a5f390facfb46b9c0d0cef0c1574a664760d3bd9c8b41a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in brock-react-alerts (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b5241549789e8a03d9ca593f6803199ed0d3328b6b2fe708c80f1c5f99c05338 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in brock-loader (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 699ebe0603c5d23f4f20b4c4b9a3f22ce480e2144d2ebe391d4a44618988fa63 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in quoting (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 15a7ad751ee7e0ff35c2b901b3f7954a4591644bb52d61136ef9a0b982b0c884 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in agent-starter-pack (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a01e2e5f143532750a9c4c4d0e55b9afeed4eff74868142d6ec14f4bfb09d777 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in nbmolviz-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 01b4d35e03aa83a7f0c2707c7d2936ee8a17c7418a2bdb7c3ae700285f453e13 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in postcss-property-rollup (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cab8415dcdb631a8644d8f91e73de0853ad3b69e333454e97587dd3e8fbe7ee4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in setup-cicd (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 301870db8c916063750dee85539f82c8b68655eb030059872888c8490607d2f4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in confluent-kafka-javascript (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6eff5dfc962c2ae45ca37fa55f80a36203cf198cef04726258100accadc25378 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ts-linting-builder (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c719aef78218f6b59b9f209c41eff610782c86c2ced5aeabe288218ac3c4f880 On npm install, the package's postinstall script test.js invokes routines in index.js that recursively scan the current working directory and the...
Malicious code in ts-lint-builders-v2.1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fc4c23edadea0930347028a24b67219dad6d3cbc4ec0fe1f93e8954425107ad On npm install, the package's postinstall hook node test.js executes a multi-stage attack against the installer. 1 It recursively scans the current...
Malicious code in rs-biginteger (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c4c6d1869f82f8162a8219a520ad9e885e55e925ee006a503f657083120c78ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in terminal-prettier (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8c7e821d2559361693f75e32b42a5e7a0eef5d99c723d0e35b06f12fd91e9600 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in vue-demi-fix (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3bf683b6e8715fecd451a06da256d90048054cbe463da64e43c1a8db4226b661 vue-demi-fix is a name-confusion package against the widely used vue-demi library. package.json declares both preinstall and postinstall lifecycle...
Malicious code in ripshakti1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 764edbf390c427ef99a9d9164034b966fbac251f00240bbb219825c0c92422a6 package.json declares a preinstall lifecycle hook node index.js that auto-executes on npm install. index.js queries the AWS EC2 instance metadata...
Malicious code in anthropic-toolkit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90ec82c6478e3a82eac71597b1c1fffc17d1b138e11e1a2aeadec7c00344c65e [email protected] is a typosquat against the @anthropic-ai/sdk ecosystem. The package ships no library code — its declared main dist/index.js i...
Malicious code in polymarket-trading-developer-tools (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-trading-developer-tools uses a dropper technique: a postinstall hook downloads configuration from pm-trading-dev-tools-be.vercel.app and exfiltrates data to the...
Malicious code in polymarket-clob-maths (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-clob-maths uses a dropper technique: a postinstall hook fetches a remote bundle from trabalhos-flax.vercel.app and executes a syncSession function that runs a...
Malicious code in log-taker1 (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer 2800 lines directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults MetaMask, Phantom, Solflare,...
Malicious code in ts-bn-proto (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address data-stream.space, executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet...