Malicious code in @pluxee-connect/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9 On npm install, postinstall.js collects os.hostname, os.userInfo, and process.version and transmits them over plain HTTP to...

Malicious code in mcp-server-iehub-proxy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba03746ec3542dbe6ea365d04c04a7b9ac1366a547da3a6e7bc146900ad67a51 proxy.mjs hardcodes a Cloudflare quick-tunnel endpoint https://consequence-pushing-peer-exist.trycloudflare.com and uses fetch... POST... with...

Malicious code in @tailwind-core/oxide-win32-x64-msvc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d93cb69a6f12f5739ab03d78641f2a79179750b6182f65ba5b8fb8ec4a1399bc The package name @tailwind-core/oxide-win32-x64-msvc impersonates the legitimate Tailwind CSS scope @tailwindcss published by tailwindlabs. The READM...

Malicious code in figma-d2c-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b65db74a06749bbb141552f97e91b15d5bdd91b57a0136dfc8bfb4034b659c8f The package ships dist/report.js, a one-line module that issues an HTTPS POST to https://www.baidu.com carrying values read from process.env. The...

Malicious code in @thesignup/cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367 The package's scripts/postinstall.cjs runs at install time and performs host reconnaissance hostname collection, ping/network probing and posts the...

Malicious code in @web-3d-tool/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a1e96a726cf0732113215b2026a7a59fc6bf471f86d34153fea3a0e32b275fb5 @web-3d-tool/sdk is a near-empty package trivial 35-byte index.js, empty author/description metadata whose only effect on install is to pull in a...

Malicious code in @serviceshub/x-web-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1cd81c2623e8f621801dcbfbf7d7eb8745bf702f1d5e85e410872400c7d2eea7 Package ships a trivial index.js module.exports = ; and exists solely to pull a direct-URL tarball dependency at install time. package.json line 9...

Malicious code in ethers-wallet-packages (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d The package impersonates the legitimate @ethersproject/wallet source files are otherwise verbatim copies, including the internal version string...

Malicious code in python-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b94c01fae325c5f5e92abd5da03527c54e22bb48202b1dc8b3e2c64947753b2 package.json declares "preinstall": "./dist/typecheck.js". The referenced file is not JavaScript — it is a 5,224,556-byte Linux x86 ELF executable...

Malicious code in stripe-internal (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e7a911f1602bed2fda7cbacff6567286433df29592c24839ae9980c7fff0e6b4 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in cb-wallet-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d076ee3d487c7c10f785494c4391e39eb327b696224d5653746144fa5ac8d37 Package name 'cb-wallet-data' targets a presumed Coinbase-internal namespace and is published by an unaffiliated party. Both postinstall.js npm insta...

Malicious code in vestibulect (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82da0f0bb40f42e69defbea694db093f2ad880c8c094508f61e2d7fe58550e2e package.json declares a postinstall hook "postinstall": "node install.js" which executes install.js automatically on npm install. install.js imports ...

Malicious code in @trackking/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64d51e587bc0b6508fa3d38027f18d42d9ab4b6ccdb8dd2760543e8c52d6bb18 @trackking/[email protected] is an empty stub: index.js is module.exports = , package.json has no description, no author, ISC license, and a high-number...

Malicious code in @ikyyofc/gemini-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6 @ikyyofc/[email protected] ships two heavily obfuscated modules src/gemini.js and src/utils/proxy.js wrapped in an obfuscator.io-style string-array +...

Malicious code in @vtmn-play/react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e407217116bd1ae3eb89ce8631eae8299f5acd924409d33f141ebddc4489145 Package name @vtmn-play/react mimics Decathlon's Vitamin design system @vtmn/react and is published at version 99.9.1, the canonical...

Malicious code in @wengine-ai/claude-code-router-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45e362000d036139e02a066a82ec157314a07796e0e855cdce184cc081ca4591 dist/index.js line 14 issues a fetch call to https://pub-0dc3e1677e894f07bbea11b17a29e032.r2.dev, an anonymous Cloudflare R2 bucket, and references...

Malicious code in wallet-agent-ai-radix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60a953d7785091650f4f48e0b038e71ad79788102ffd652bff4bb0e8bf40ea21 dist/agent.js contains a hardcoded Telegram Bot API endpoint https://api.telegram.org reached via fetch with a POST body that includes values from...

Malicious code in color-style-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087 On npm install, all three lifecycle hooks preinstall, install, postinstall execute postinstall.js, which harvests installer secrets and exfiltrates...

Malicious code in stripe-commands (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 25869cea9557ac431847a2e11b5c78d6da5ee072b1d73f1d0fa6ccc895d2be60 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in @flipbit2-bb/test-auth-state (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63 On npm install, a postinstall script phone-home.js collects os.hostname, os.userInfo.username, process.platform + os.release, a timestamp, and a...

Malicious code in @deadcode09284814/axios-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a On npm install, postinstall.js reads installer-owned secrets — SSH private keys idrsa, ided25519, iddsa, config, authorizedkeys, knownhosts,...

Malicious code in chalk-tempalte (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7 Package name chalk-tempalte is a single-character transposition of the popular chalk-template package a top-tier npm utility, consistent with...

Malicious code in cloud-pc-templates (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 044178c5b07f16ba0681f534724c7bcac3c8f39832484c7a3ac51d43a69cd803 The ai login CLI subcommands loginMode huggingface, ollamacloud, ollamalocal each download a proxy script from a mutable refs/heads/main branch of a...

Malicious code in ezymail (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea463f516048086ec4acfc2733edc9561dac749d19c2e47381fc170c451cd53c The package advertises itself as a Gmail/SMTP sender library. The README documents that callers pass their SMTP user and pass Gmail App Password to a...

Malicious code in @venturo/playwright (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0e9a29f430bb3a664936cb27d7cc0dc6f3e8764ae0fae7e9fc8e001fcece43c8 @venturo/playwright impersonates Microsoft's @playwright/test: package.json sets author to 'Microsoft Corporation', homepage to...

Malicious code in pulse-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c64dad53e23f7fcba3813e9ae6caee3f9461f5e52194165da668e5332e78bb99 [email protected] declares a postinstall hook node./lib/core/eval.js that on npm install issues fetch'http://localhost:3000/download/data', reads th...

Malicious code in foundy-toolkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d117fe522ec0aee9271963b02fb9a61b7e5005b5494331368b58f46c05c944cd On npm install, the package's postinstall script runs an inline node -e that shells out to curl -fsSL against an ephemeral Pinggy free-tier tunnel ho...

Malicious code in rdflib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb9a536a077e23bda8e10a55aa1177de28f4f5a8622e08914eeab437e8036940 package.json for this release declares two runtime dependencies — "package-lock.json": "^1.0.0" and "package.json": "^2.0.1" — inside the dependencie...

Malicious code in stripe-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2134a01cead67cd3508d0ca8a14acbfd272181c65faed08b8491a1b2e7885ddc Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in axois-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 48eb1a16cb7cac016f30a49f81d472b9b4e02236b97c5daaea4446b74e6aa069 The package name is a single-character transposition of axios. package.json declares preinstall, install, and postinstall hooks all pointing at...

Malicious code in carvus-lens (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be2182b552b0a8359f3314078d48310cfcd57738e1934aacf00ac8775a32cfe0 carvus-lens is a screen-capture/OCR Electron-style tool whose advertised 'Ask AI', 'Translate', and 'Search' features silently route user-selected...

Malicious code in polymarket-clob-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec The package is published as polymarket-clob-client, an unscoped lookalike of the legitimate @polymarket/clob-client maintained by Polymarket, but the...

Malicious code in @shinzepelly/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f Package impersonates the legitimate libsignal-node library description copied verbatim: "Open Whisper Systems' libsignal for Node.js" under an...

Malicious code in @tailwind-core/webpack (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7955094460738dc65288f88a3bb990c7d3ff52ed3683f11265b7072bd80aa4e3 Package @tailwind-core/webpack impersonates the legitimate Tailwind v4 webpack loader @tailwindcss/webpack. The README copies Tailwind Labs branding ...

Malicious code in @solarcraft/observix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require'./logger' purely for its...

Malicious code in get-deps-path (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...

Malicious code in fca-eryxenx (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7569b032ce4e06251ebfe06b4fc124689f20ca0a7e14b5b2395dc7295bfa18c6 The package's documented login API — loginemail, password, twofactor — POSTs the caller's Facebook email, password, and 2FA secret to...

Malicious code in truffle-config-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2204d3386cd8473771610640812df94a0c65c5482027bd7a59282398d38e73db On npm install, the package's postinstall hook package.json line 13 issues an HTTPS GET to...

Malicious code in customerdigital-ui-containers-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a314a5b253dcb30b2781bda216266b7ab1b49b62eec416bd9be07b48ab46a348 On npm install, postinstall.js collects git identity, OS user/uid, hostname, internal network interface addresses, Cloudflare Pages environment...

Malicious code in code-tool-langfuse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13591fd81486fc2001b5c998ff87badefcb81f4c396aa43675a7280a6fed23cf The package installs a Claude Code Stop hook and patches OpenCode plugin code so that every future AI session's user prompts, assistant responses, to...

Malicious code in hpsetup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16ed0c34d69e1ea3c5052e3eed20b87fc47e8d4bf1393f7117d34b847347e12c When npx hpsetup runs, the tool fetches a tarball from https://hpsetup-cdn.932324.xyz/api/tarball//?key= and extracts it directly into...

Malicious code in etherjs-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 335b4f699510e2bb1171a9137655f6977d5554f508e612eab97b4239c1249be1 package.json declares a postinstall script that performs an HTTPS GET to an ephemeral pinggy-free.link tunnel URL...

Malicious code in jsonbson (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8068ec3c82afd849515c6434f74da03c799500583129d4c26f1a168a5ac5ba1b On require, lib/writer.js loaded via main=pino.js collects a full snapshot of process.env, OS platform, hostname, username, and external MAC addresse...

Malicious code in @mcpassure/mcp-cnes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 243d5ff1424c2d147ee05781c1889b007eb30e22a190bf6dc3973b676ea697a7 dist/bootstrap.js performs a fetch against https://pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev, an anonymous Cloudflare R2 bucket with no publisher...

Malicious code in @mcpassure/mcp-anvisa-bulario (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e846cabb7b5077244737d7a465e944ebe7635db46cc55e7e5736eeda47d30938 dist/bootstrap.js references a hardcoded URL on pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev — an anonymous Cloudflare R2 bucket — and calls fetch...

Malicious code in hardhat-gas-profiler-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c21e0ec3571fccc81c8e047835e84f75b6f0d95e2e4ee7e3d11537b99eab8115 Package impersonates the Hardhat plugin ecosystem real Hardhat plugins are published under @nomicfoundation/; the referenced github.com/hardhat/...

Malicious code in chainlink-price-feed-aggregator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 557bc05b86e81155a6305c13693641f32ca21520bac827af82b2a785f4f669d4 Package name impersonates Chainlink branding while being published by an unrelated identity author 'Web3 Developer Tools ', repo github.com/web3/...

Malicious code in @rocketreach/rr-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1c16148ad4c13ad5d5cbfe951d9ca934a0912ab5ad75c3b4afee19be86172fa On npm install, both preinstall and postinstall lifecycle hooks execute postinstall.js, which collects host identifiers hostname, platform, arch, OS...

Malicious code in @tailwind-core/postcss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1dab944715339b0fabcf954a92fd33faacbb4d878368c36ea5a7d26d72fe2e56 Package name @tailwind-core/postcss is a one-character-class edit of the official @tailwindcss/postcss Tailwind CSS v4 PostCSS plugin, published unde...

Malicious code in crypto-javascript (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8 Package name typosquats the widely-used crypto-js library and mirrors its API surface, README, and repository references to appear legitimate...