Malicious code in final-shoaib (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f67c342dc8bb7b3c1a396b89796f09865373db04cd9b08034e6087bf47b324ef The OpenSSF Package Analysis project identified 'final-shoaib' @ 1.0.0 rubygems as malicious. It is considered malicious because: - The package...

Malicious code in @rafaelsene01/agent-flow (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5df09db75f73bdebd523abf5b350fca006eafabadfeef16baccd7043191dc61 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in stackus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456 On require, lib/writer.js loaded transitively from the package's main pino.js collects the installer's full process.env together with host identifier...

Malicious code in jwtmode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a On require'jwtmode', decode.js immediately invokes getThirdCookie, which performs an HTTP GET to https://jsonkeeper.com/b/AZ9ZF, takes the response...

Malicious code in requests-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfd9564690d64c44a730b088f4295c75b36e9d2fb164e2c7aa9ec2367153ada6 The package masquerades as a typosquat of the legacy request/requests HTTP library, copying that project's README, dependencies, and source files...

Malicious code in roblox-api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06fae89087d7a50d6397199d5fe1d5fc925c7c353e72a7f8a84e9aeca08224e6 On npm install, postinstall.js fetches http://betterminecraft.fun/nettspend.bat over plain HTTP, writes it to the OS temp directory, and executes it...

Malicious code in intquery (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 115c6fdd6b1a49aced7caf0b51b58290e6c07980e72cd7699dd360498a6790e5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in oem-agentic-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f612eb2fa947323c936a0bb1becc602f0f837f9023edac22a945470566386a8c [email protected] is a hollow stub: index.js exports an empty object and package.json has empty author, empty description, and no real...

Malicious code in datacamp-light (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c Package impersonates the DataCamp brand while shipping near-empty stub exports index.js init/helper return trivial constants. The postinstall lifecyc...

Malicious code in data-utils-bcf2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf The package declares a postinstall lifecycle hook "postinstall": "node run.js" in package.json that automatically executes run.js on install. run.js...

Malicious code in stream-read-35cf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0597f71a1c39a743a4323636794601b480a1cda0c64df20d6bafa7ed601da84e Package declares a postinstall hook "postinstall": "node run.js" that auto-executes run.js on npm install. run.js imports os, fs, http, https, and...

Malicious code in metrics-probe-f256 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3fdf2b93d50f09ea1b087bdc33578fedec5483e75c7a9acd61355cc02f9f7ec0 Package declares a postinstall lifecycle hook "postinstall": "node run.js" in package.json that executes run.js automatically on npm install. run.js...

Malicious code in string-tools-be6c (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c725b56cc7e80c178e8d0fca3eceb069e811b979427b6ec99deab6b6f6cab8f7 Package ships a postinstall lifecycle hook node run.js that runs automatically on npm install. The executed script imports os, https, http, and...

Malicious code in fmt-helpers-794b (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 19b05306978ff506805f118049f81c74c5da1503bb34fd14a2a57d4e6faac52c Package declares a postinstall lifecycle hook "postinstall": "node run.js" in package.json that runs run.js automatically on npm install. run.js...

Malicious code in metrics-probe-88ad (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 55133df30aa5d5678607d6f0a32d8b292c4fdf876893978a6785209304434fe6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in color-utils-dee0 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6d19450c3691562b0a498e497c1c6abde10e822eac4735cffc6f6513a7b471f package.json declares a postinstall hook "postinstall": "node run.js" that automatically runs run.js on npm install. run.js imports childprocess, os,...

Malicious code in data-utils-d703 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fee284139d8880599660922c960afc6566814acb8e76b0e23dab6cca599dd416 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in type-check-816d (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6bd3f7912317a2b9465a4c22ea948951f70aaa8c0d12f152572d43febc5667dd The package declares a postinstall hook "postinstall": "node run.js" that runs run.js automatically on npm install. run.js imports os, https, http, a...

Malicious code in @ncurran/sandbox-recon-sys-5f1b (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0f4f0ce20b0ebc74a6cc6447e493d56421999e17f0f980661c9baab280032850 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-sys-6a3f (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 608b0bb395714d269bf26dcde1f7863b0376062eb1b1707f2a7dd4dac279574b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in npm-sandbox-research-a1b2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd030068356281ae499fe6af7fd86ae10cac9f77f2f3fcc4d2d9abb67750be19 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-7c4e1a (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c1184134c86ce193b3abfb06949b3ce9ba51711e8e5615405d4f2ab63aa51a89 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in npm-sandbox-research-f1g2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd8a780bcd6850a1b4b810de411bf39db7f5b3f37e581a5a45d0e83215b0f339 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-uac-4e7c (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 115efe1e922669b73488b969fea50128ffb8c0b8a5ef462d6c6319feaf1ce578 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/dc-selftest-ba0ad4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 945bb6ebb1c34a64499b626b76d65ee3241c5018390eba029b3654bef389786c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/dc-selftest-33afb7 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 66b28ace8d8604fc6ab7a05cf54cdae28480557c898231a79d71cab88eff7c3b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-sys-5b2c (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2e23f53a4a0894697fe17ba0cb492b742f0cc7c213b99b42f455d608e14410ae Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-9b2d4f (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e26a43461da776d8145183e606db9c9bdbfaa1a053e76c44ce1f78ec1364ec1f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-880538 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1b2312abdf908648141abd660e3384044ccd92cfdfd9ba75feb382aeb49011a1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vite-common-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd The package presents itself as a Vite utility library but its only export, loadFilbetScriptSilently, creates a element whose src is hardcoded to...

Malicious code in uol-simple-api-futebol (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c78d7d6a66f5f57c16ee4d4d39ea4dbfd4ac5b76192de1a8da86099405848334 The package advertises itself as a scraper of UOL football schedules, but its main exported function getJogos routes through getUOLData →...

Malicious code in ai-chat-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39a12d35a8713a8f63eaf342901214a7f53fa396b9ee8218d246e5e0db7b6318 collect.js performs system reconnaissance and exfiltration to a hardcoded attacker-controlled host. The script imports childprocess, os, fs, http, an...

Malicious code in @hotcappuccino/nodepull (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99 @hotcappuccino/[email protected] ships a single index.js the package's declared main that is wrapped in an obfuscator.io string-array +...

Malicious code in @array-util/nodepull (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b @array-util/[email protected] ships a single 19 KB obfuscated index.js as its main entry. On require/import, the IIFE silences process error handlers vi...

Malicious code in pino-slite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb pino-slite impersonates the legitimate pino logger README titled 'pino-slite Pino' with badges and homepage pointing to getpino.io, exported function...

Malicious code in set-proto-chain (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633 lib/index.js contains a base64-encoded URL decoding to https://jsonkeeper.com/b/BN77K, an anonymous mutable paste host that is fetched via axios.get;...

Malicious code in dotenv-sync (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8fa0ec08d0cd452a37bf602615f61dfbbdab27d55180f1e09f53a218b18673f5 During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the...

Malicious code in disksweep (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3bc79bc0cdfcad5c0e383a83f621365a84be1090e44364974ee8ec2bf1a12942 During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the...

Malicious code in ebpf-tracker-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f51f94366660f50b3ffaacedda1e956035ca8a7e5e0cadc33f2aefc20dd8a6a3 package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname os.hostname, username...

Malicious code in syncagents (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ab19812d31784aada2fb7c8165db286c96871bd8645568766ffc22c070fd3bf2 During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the...

Malicious code in boardflow (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86 On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and...

Malicious code in opt-archetype-check (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6497b3f44c017bc9ba783cd75e17d4992f79542d8819558da92e152ee4d4471e On npm install, the package's postinstall hook executes node index.js, which collects the installer's public IP via api.ipify.org, hostname, username...

Malicious code in pystylish (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a6a09e52477106b9586e89c2b0207bdc51e6d22dad500b7cc12a424d684c35b On import pystylish, the package's init.py spawns a daemon thread that downloads a Windows executable from https://goy.mikoz.xyz/boh3.exe, writes it ...

Malicious code in @civitatis/bot-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7 The package declares "preinstall": "node index.js" in package.json, causing index.js to execute automatically on npm install. index.js requires...

Malicious code in libsc-runtime-telemetry (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4 Importing libsc-runtime-telemetry auto-invokes a bootstrap routine that schedules a periodic job collecting host identity hostname, public IP, revers...

Malicious code in @mastra/observability (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 63af3788f9b84fab72e7db143b8001af24c070088aaab8c4de3323cdf259dd66 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/loggers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware baad7527478be22f3cc0eafc8cb85947bc4c4cc6450463724746ee255e99644a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/redis (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware eb1942fb86a972bbc2bebd8cda9776aea0a1459de141c8f69cfdf8f9404d0c3b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in n8n-nodes-security-test-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa97d4701c29ef5305fa5b553ab560abd6db6cc33b72f99dc11621997b668f32 Package presents as an n8n community node but is an attack artifact. The node's execute in dist/SecurityTestNode.node.js queries AWS IMDSv1/v2...

Malicious code in lab-services (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4acaa72e3c14b79785540c878cb48f7a0cdc238d20ac9cebd6ffdd42061f6e7b On npm install, the package's preinstall lifecycle script node.js collects host identifiers from the installing machine — hostname, public IP resolve...