225822 matches found
Malicious code in @audience-common-ui/components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e26e359a883cc73de6df21c10ea5bc94596f94ac4c38a3c703f44c91f3a8f1e Package @audience-common-ui/[email protected] is a dependency-confusion probe targeting an internal scope. Both preinstall and postinstall lifecycle...
Malicious code in @dreamlake/lakeshore (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ef6f14503697000ebd139364326d859a625a27a669e6f53b3e7a9388c3b0b25 On install, dist/cli/daemon/install.js fetches content from https://pub-c0109e197b4a4d1abe5884ac4dd3a023.r2.dev — an anonymous Cloudflare R2 bucket —...
Malicious code in @newline53/newline-ts-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 475a7ac4130ef9c168565439f8cac230fce87b1d59bc116caec6c712f3a5dc60 On npm install, the postinstall hook node install.js collects os.hostname and os.userInfo.username along with the package name, encodes them as a DNS...
Malicious code in pewter-constants (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5 On npm install, a preinstall hook in callback.js collects os.hostname, os.userInfo.username, process.cwd, the configured npm registry...
Malicious code in midpatch (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe668e556f4b46fce125c318ebc3bea93185c78ec36c19f8991bbcb36172a62b The package advertises a logger middleware keywords fast/logger/stream/json, exports module.exports.pino = middleware, file.js wraps a ./pino module ...
Malicious code in asavie-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf12a913426dee622d500474fe3629c5bb3246e1793e3f210916885c6d0481a9 callback.js collects host identity information os.hostname, os.userInfo and transmits it via https.get to an external endpoint at install/load time...
Malicious code in discovery-build (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c24a1e59b8c5d3ae1059499825bf47d1abe8d362ddefe264f1a429ed9e7e98cc package.json declares scripts.postinstall=node postinstall.js, which executes unconditionally on npm install. The script collects host identifiers...
Malicious code in turbo-axios (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...
Malicious code in hiura-baileys (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ebb60061f29d4f4279bca1129ebfccefb928bd22364f26961205935ff71393f This is a fork of the Baileys WhatsApp library that adds undocumented behavior abusing the consumer's authenticated WhatsApp account for the author's...
Malicious code in cosmosdb-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 925077d4c86616920b1ad20f2342df7473d9504764582235049e78eed9189a76 Package squats the unscoped name cosmosdb-server, targeting users who mistype npx cosmosdb-server instead of the scoped @vercel/cosmosdb-server. The...
Malicious code in @asavie/i18n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d803002ee95ea92bdcb3a918e1be10930816db383ce2a58a6947afea84e04040 @asavie/[email protected] is a dependency-confusion package targeting an unclaimed npm scope. Its package.json declares a preinstall hook that runs node...
Malicious code in @zaamx/netme (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98 This Medusa plugin hardcodes outbound POST requests to https://n8n.lidxi.com/webhook/ in multiple subscribers and admin routes, with no configuration...
Malicious code in lhisp-logger (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9ba8f52d22e4435a81a1ffe643e4bb25b0e64fff60c585cac35c164e4ccb24f The package is published as a generic logging library but configures a pino-loki transport whose destination defaults to...
Malicious code in @budetzzgantenk/baileys (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81b1fbb4415cf2858924d511ef2bf96ad5152dda4537a264f45d1b4d847ba25d Package @budetzzgantenk/baileys is a modified fork of @whiskeysockets/baileys that adopts the upstream's homepage...
Malicious code in @onerjs/inspector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd Package name, version 8.52.2, README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a 700-byte UMD wrapper that...
Malicious code in ask-my-llm (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9429d8e8e36f3d97c246ce408491ea570ab5d3f5e7cb2481a3c2ea4b7c8477b8 index.js requires childprocess and contains hardcoded POST calls to https://cows.info.gf at lines 67 and 100, alongside references to process.env at...
Malicious code in cloudpivot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c On npm install, the package.json preinstall hook runs wget against http://194.120.24.50:7374 with query parameters carrying $whoami, $pwd, $hostname,...
Malicious code in secdriven (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e64bd0b65a5cddc6e2032cfdd0a23f06c980a25066490b223d07e1b2e4efe3d8 On npm install, postinstall.js executes whoami via childprocess and reads os.hostname, os.platform, the working directory, and CI / GITHUBREPOSITORY...
Malicious code in @onerjs/serializers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 729400f12e8686271847d4633518c63363e156c251d18ede6f1d2e947aa2c0e0 This package replicates the public API of @babylonjs/serializers and ships its source verbatim, but rewrites every internal import from @babylonjs/co...
Malicious code in @onerjs/addons (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7d3b8a435a56ca78d7a2f4ca7077b8a96f968d29e32dd01580fdf01cee442f5 Package is published as @onerjs/addons but ships a verbatim copy of @babylonjs/addons source while declaring Babylon.js identity in its metadata:...
Malicious code in @onerjs/smart-filters-blocks (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e772d7a844409df378591a5a587c7cc8045e0ec0e8cb493912f0da8fa594c169 This package is published as @onerjs/smart-filters-blocks but its README, repository URL git+https://github.com/BabylonJS/Babylon.js.git, description...
Malicious code in dds-js-idl-types (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68e8941c301603919022f1d67d311d576d5d5efcac7ed7cb0d3526cb71e829d6 On npm install, the package's postinstall.js runs whoami and reads os.hostname, os.platform, the current working directory, and CI-related environmen...
Malicious code in dds-js-idl (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c864bc6e21a3795faba4de876942dfffa4baed76c926d96d52c83c32d1f49f69 On npm install, postinstall.js runs whoami via execSync and collects os.hostname, os.platform, cwd, and CI/GitHub env vars, then exfiltrates them ove...
Malicious code in tax4all-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 411707aa243c516b714830da4805c4abacaa4d5f7e2e8959773cd93468dd78aa The exported ContactForm Vue component in deploy/dist/index.js hardcodes form submissions to https://formsubmit.co/ajax/[email protected] — the...
Malicious code in @blckrose/baileys (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17e53bba6dc765b6c0f5d1a1a33a1ebcc7827e35af3688f86555bf1c067f5d0d This package is a fork of the Baileys WhatsApp Web library that ships three undisclosed behaviors which benefit the publisher at the installer's...
Malicious code in loading-session (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 640bfe1e0b6627e78ec34ef2d97df0d5d29d912446883f284c15935cc8f6f996 Package advertises itself via a verbatim copy of pino's README, docs/, and index.d.ts TypeScript types and documentation are pino's, but index.js doe...
Malicious code in token-usage-tracker (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in build-scripts-utils (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in node-setup-helpers (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in llm-context-compressor (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in dev-env-bootstrapper (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in prompt-engineering-toolkit (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in workspace-config-loader (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in project-init-tools (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in async-pipeline-builder (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in model-switch-router (npm)
Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...
Malicious code in chai-as-repaired (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 949b90bd3c157955d029f9ea08bc32aea893e452c4ded78df98b80c1b831be76 Package name 'chai-as-repaired' is a 1-edit typosquat of the popular 'chai-as-promised' chai plugin 1M weekly downloads. The published code is...
Malicious code in solidity-build-guard (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be62d73f7e4a6307ec5f0bac9b9543f9d73da696a4e67233057f77fd3cb6481c On import soliditybuildguard, the top-level init.py lines 11-24 shells out to curl to download a JavaScript file from a personal GitHub Pages URL...
Malicious code in defi-risk-scanner (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a8385c44127ab4250664e1324009461ae329e3684948d692cc679962d59f818 On first import defiriskscanner, the package's top-level init.py unconditionally runs curl -sL...
Malicious code in eth-security-auditor (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e20bc5304d65563ad8b577a38c26db0b04746828b554f88cf5dd1215a214cf1 On import, ethsecurityauditor/init.py unconditionally fetches a JavaScript payload from...
Malicious code in cryptowallet-safety (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 276a350e78e2602882e107586e33d617b3e392e3943c120d99d4213963d7fd9d On import cryptowalletsafety, the top-level init.py lines 13-21 shells out to curl -sL...
Malicious code in clickpy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dd3b0787797fa520a5583fd5f14b83ec1b4606c0c45051e30ef312869c148f01 On require'clickpy', index.js collects host metadata via os.hostname, os.userInfo, os.platform, os.arch, process.cwd, process.pid, and the current...
Malicious code in @engagehub/core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcc397ed87426726776c339f950939ac2da46c12edd018ed4bc48031f7044094 All three lifecycle hooks preinstall, install, postinstall in package.json invoke node telemetry.js, so the payload fires unconditionally on npm...
Malicious code in pg-expense-example (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1d939ad3f0e8e9754bf3562f06692713a76d5c0f18ac13c956f9cb199ed0fbf On require/load, index.js unconditionally collects host identifiers hostname, username, platform, arch, cwd, pid and sends them as URL query paramete...
Malicious code in orca-website (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c52f7fe46d56cb45880942f5266494a2654d9d330914a6c3c99f02045eacd1dc On require/import, index.js collects host identifiers os.hostname, os.userInfo.username, os.platform, os.arch, process.cwd, process.pid, timestamp an...
Malicious code in peertube-plugin-google-analytics-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c66b6ebad55556f956fbc181293327eb4051d2ec6de6436a24d027fac58e580 This PeerTube plugin advertises itself as a Google Analytics integration but its client-side script client/common-client-plugin.js:8 registers a...
Malicious code in tailwind-style-typography (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0818530f40672586168012538662486135f040526d0e4377f362b6bfe2f61bd2 The package name impersonates the official @tailwindcss/typography plugin and replicates its README and source verbatim including links to...
Malicious code in express-enrouten-async (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e Package name mimics the legitimate express-enrouten route-discovery library, but the shipped index.js only hardcodes two demo routes rather than...
Malicious code in mmt-static (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 755d0176c106903bf2baaf14d0bb4df611bb719c2a7b0615e9b4487eadee1300 On npm install, the package's preinstall lifecycle hook executes node index.js && curl --data-urlencode "info=$hostname && whoami"...
Malicious code in openmct-couch-plugin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28 On npm install, the package's preinstall script runs node index.js and then curls the output of hostname && whoami to...