Malicious code in fluent-panel-metrics (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5070e6c32009ce1bb1f2f499ab4e0012123e7aeed52828d107825ecdacd6d678 During import, the package starts a reverse shell. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

Malicious code in node-vfs-polyfill (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fb213e524ed75dcb54961d6d2ee9431ea6a32f4fdcb9d777bc260102920d81b On install, postinstall.js executes automatically and exfiltrates host reconnaissance data to attacker-controlled subdomains on oastify.com Burp...

Malicious code in db-connector-log (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6828cdaf9f4280f7739fd6f5a838a63ea7bc8f7bb0c94eec52fb881c2701c724 The package impersonates the legitimate dx-db-connector the package.json repository field points at...

Malicious code in runtime-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95ac68a991ebaacd1aef772aa462ad53510471f9f4439659a6e685e877aa460e On require, index.js lines 70-77 fetches JSON from https://jsonkeeper.com/b/CI3HT, extracts the .cookie field from the response, and passes it to new...

Malicious code in clx-cookie-signature (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3 Package impersonates the popular cookie-signature library copying its README, author field 'TJ Holowaychuk ', and sign/unsign API, but index.js adds ...

Malicious code in @httpactions/strict-uri-encode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b90fd30f5d52b139ea7be77aa1782a5339f39355ec7ad532af2fa7a49616ff88 @httpactions/strict-uri-encode impersonates the popular unscoped npm package 'strict-uri-encode' 30M weekly downloads by republishing the same name...

Malicious code in @httpactions/encode-url (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e52b15ad9413185c30f84ad7e11e031c74c359e04f5c30ce502b8bc73267d8e The package ships a single heavily obfuscated index.js that performs no URL-encoding work despite the package name. On require of the declared main,...

Malicious code in randpicker (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 378d07b700aa25d356594d7b1c42db107def3dbd1cce734e4c1c50b411048eb6 When calling the Email function, the code creates a backdoor script and attempts to achieve persistence. The script connects to a Telegram bot and awaits...

Malicious code in @gbrlxvi/ts-project-lint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8 The package's main module index.js also loaded indirectly by bin/cli.js reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a...

Malicious code in react-error-lint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a084c9e71eac856bf1a1fec025773cc561f9f6677c187d60e055b89c73d846b9 Package name and README impersonate the popular react-error-boundary library advertising an ErrorBoundary export, citing bvaughn and kentcdodds.com,...

Malicious code in ratelimitsucks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f Package is not a library. main points at sw.js, a browser Service Worker that uses importScripts, self.addEventListener'fetch'|'install'|'activate',...

Malicious code in ratelimitsucks6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0 ratelimitsucks6 is one variant in a numerically-iterated family ratelimitsucks1, ratelimitsucks2,... generated by auto-publish.sh shipped inside the...

Malicious code in abuden22 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...

Malicious code in abuden221 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90 The tarball is a static-site / web-proxy build index.html, /assets/.js bundles with obfuscated names, a.well-known/discord verification file, brandin...

Malicious code in abuden218 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66 Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry importScripts that throws when...

Malicious code in panrouter-admin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 390c706978c9207807a0aeb4b1e3dfc500847828c23f5ffb06a14171ca8e51e6 panrouter-admin ships relayclient.cjs, which connects to a hardcoded WebSocket endpoint at wss://jiuling.xyz/ws, registers the host with an identity ...

Malicious code in panrouter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53 panrouter is advertised as a 'Claude Code router' but on default invocation panrouter with no arguments it a installs and rewrites the user's Claude...

Malicious code in @onum-releases/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 887866a4734ebf64a639f9d2512cd400085469ec7fa06aba5f1bbe340b2688b8 On require'@onum-releases/utils', index.js reads os.hostname and issues an HTTP GET to 'utils..200majoeu01dk02xnjdajro1isojc90y.oastify.com', leaking...

Malicious code in @onum-releases/shared-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74 On require/import, index.js reads os.hostname and issues an HTTP GET to...

Malicious code in @onum-releases/ixel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599 On import, index.js reads os.hostname and issues an HTTPS GET to ixel..200majoeu01dk02xnjdajro1isojc90y.oastify.com/ixel oastify.com is Burp Suite's...

Malicious code in @onum-releases/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cae207a349e4bda9359f4981d60ec81d9492cd8624535ee01b44c8f3bf3b3208 On import, index.js reads the installer's machine hostname via os.hostname, embeds it as a subdomain of a hardcoded .oastify.com Burp Collaborator...

Malicious code in @onum-releases/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22d4bde1772d506f812e112fb8d6bfbf6a6f187dd823640f2cf15811f0d0633a On require'@onum-releases/auth', index.js reads os.hostname and issues an HTTP GET to auth..200majoeu01dk02xnjdajro1isojc90y.oastify.com, transmittin...

Malicious code in @onum-releases/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07908d7f0abe458955357ed6814b46c090c70e1b3d34be4dd1a5c02d2507127d On require, index.js reads os.hostname, embeds it as a subdomain label under a Burp Collaborator oastify.com host, and issues an https.get to that ho...

Malicious code in @caspianph/storyteller (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a The package ships setup.cjs containing heavily obfuscated JavaScript with hex-mangled identifiers 0x32549a, 0x4b2b44, 0x78c349, 0x119ac2 typical of...

Malicious code in computerrock-babel-preset-react-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8987a1638ceebfb3dc8c8fc29e8e696fa15c6fe667697dfc367f59bf56b14cfa The package impersonates the well-known babel-preset-react-app under a fake org-style prefix and ships no Babel preset code. package.json declares...

Malicious code in metavu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525 package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname, platform, architecture, home...

Malicious code in parket-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 06da7444904a584b820efa9d1b6b7c8058d4f6f7495c344e354748992366e737 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in final-poc-usa (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 6cc39e355e69ec11b0532da1e2b2a418601a4c5594b100ba6f054f0e52be44be The OpenSSF Package Analysis project identified 'final-poc-usa' @ 0.99800.0 rubygems as malicious. It is considered malicious because: - The...

Malicious code in final-shoaib (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f67c342dc8bb7b3c1a396b89796f09865373db04cd9b08034e6087bf47b324ef The OpenSSF Package Analysis project identified 'final-shoaib' @ 1.0.0 rubygems as malicious. It is considered malicious because: - The package...

Malicious code in @rafaelsene01/agent-flow (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5df09db75f73bdebd523abf5b350fca006eafabadfeef16baccd7043191dc61 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in stackus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456 On require, lib/writer.js loaded transitively from the package's main pino.js collects the installer's full process.env together with host identifier...

Malicious code in jwtmode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b59454613cc025e514269f55b41a9da6a5da1db70e73e583bc79d97727e9528a On require'jwtmode', decode.js immediately invokes getThirdCookie, which performs an HTTP GET to https://jsonkeeper.com/b/AZ9ZF, takes the response...

Malicious code in requests-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfd9564690d64c44a730b088f4295c75b36e9d2fb164e2c7aa9ec2367153ada6 The package masquerades as a typosquat of the legacy request/requests HTTP library, copying that project's README, dependencies, and source files...

Malicious code in roblox-api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06fae89087d7a50d6397199d5fe1d5fc925c7c353e72a7f8a84e9aeca08224e6 On npm install, postinstall.js fetches http://betterminecraft.fun/nettspend.bat over plain HTTP, writes it to the OS temp directory, and executes it...

Malicious code in intquery (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 115c6fdd6b1a49aced7caf0b51b58290e6c07980e72cd7699dd360498a6790e5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in oem-agentic-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f612eb2fa947323c936a0bb1becc602f0f837f9023edac22a945470566386a8c [email protected] is a hollow stub: index.js exports an empty object and package.json has empty author, empty description, and no real...

Malicious code in datacamp-light (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c Package impersonates the DataCamp brand while shipping near-empty stub exports index.js init/helper return trivial constants. The postinstall lifecyc...

Malicious code in data-utils-bcf2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf The package declares a postinstall lifecycle hook "postinstall": "node run.js" in package.json that automatically executes run.js on install. run.js...

Malicious code in stream-read-35cf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0597f71a1c39a743a4323636794601b480a1cda0c64df20d6bafa7ed601da84e Package declares a postinstall hook "postinstall": "node run.js" that auto-executes run.js on npm install. run.js imports os, fs, http, https, and...

Malicious code in color-utils-dee0 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6d19450c3691562b0a498e497c1c6abde10e822eac4735cffc6f6513a7b471f package.json declares a postinstall hook "postinstall": "node run.js" that automatically runs run.js on npm install. run.js imports childprocess, os,...

Malicious code in data-utils-d703 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fee284139d8880599660922c960afc6566814acb8e76b0e23dab6cca599dd416 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in metrics-probe-88ad (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 55133df30aa5d5678607d6f0a32d8b292c4fdf876893978a6785209304434fe6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in fmt-helpers-794b (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 19b05306978ff506805f118049f81c74c5da1503bb34fd14a2a57d4e6faac52c Package declares a postinstall lifecycle hook "postinstall": "node run.js" in package.json that runs run.js automatically on npm install. run.js...

Malicious code in type-check-816d (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6bd3f7912317a2b9465a4c22ea948951f70aaa8c0d12f152572d43febc5667dd The package declares a postinstall hook "postinstall": "node run.js" that runs run.js automatically on npm install. run.js imports os, https, http, a...

Malicious code in metrics-probe-f256 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3fdf2b93d50f09ea1b087bdc33578fedec5483e75c7a9acd61355cc02f9f7ec0 Package declares a postinstall lifecycle hook "postinstall": "node run.js" in package.json that executes run.js automatically on npm install. run.js...

Malicious code in string-tools-be6c (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c725b56cc7e80c178e8d0fca3eceb069e811b979427b6ec99deab6b6f6cab8f7 Package ships a postinstall lifecycle hook node run.js that runs automatically on npm install. The executed script imports os, https, http, and...

Malicious code in @ncurran/sandbox-recon-7c4e1a (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c1184134c86ce193b3abfb06949b3ce9ba51711e8e5615405d4f2ab63aa51a89 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-uac-4e7c (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 115efe1e922669b73488b969fea50128ffb8c0b8a5ef462d6c6319feaf1ce578 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-880538 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1b2312abdf908648141abd660e3384044ccd92cfdfd9ba75feb382aeb49011a1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @ncurran/sandbox-recon-sys-5b2c (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2e23f53a4a0894697fe17ba0cb492b742f0cc7c213b99b42f455d608e14410ae Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...