Malicious code in base_parts_ai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07b0e2bcf47f6720470181fe18dda70621d52a4fb65fec395a87e14ec39c5219 When a user runs the package's jcc or jcx CLI, lib/aiutils.js polls https://jai.jaskle.cn/hm/hmpub/aicccfg for a newVer value and, if it differs from...

Malicious code in routecraft (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0 [email protected] ships verbatim Express.js source lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js —...

Malicious code in aikaf668897 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293 On npm install, the package's postinstall hook node scripts/postinstall.js spawns a detached background Node process running scripts/shell.js with...

Malicious code in aikaf6688812 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7 package.json declares a postinstall hook that runs scripts/postinstall.js, which spawns scripts/shell.js as a detached, stdio-ignored background...

Malicious code in aikaf788812 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2 Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a...

Malicious code in create-mono-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85402ef2db7bfd9e2bb01034a533e52649cf6058cc1e824e9c273aee5ae8121d The package's postinstall hook .prepare.cjs collects host fingerprint data os.hostname, os.userInfo.username, platform/arch, all non-internal network...

Malicious code in @chunklab/hexparse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013 Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function encodeHex, decodeHex,...

Malicious code in @bytemend/mfebus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4 The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly requires dist/bootstrap.js, a 277KB...

Malicious code in @briskforge/envcheck (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09dba573f5d6cb00b09562870f2148b3e539786f5d801f2a263338301d759313 The package advertises itself as a tiny environment-variable validator but ships lib/preflight.js, a heavily obfuscated obfuscator.io string-array...

Malicious code in @apexcraft/nano-key (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c46938b3634fb4de89ddf44b765e1c766c871a40fb31c54609c1b3526074e65c @apexcraft/nano-key advertises itself as a 12-byte sortable ID generator README and repository metadata are copied from yiwen-ai/xid-ts, an unrelated...

Malicious code in @apiwizards/auth-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba0f33946c3dd0624d21c0e99beb12f22b880bc126a3474753b38a9799fc5293 The package advertises itself as auth middleware but its main entry index.js is a 21KB obfuscator.io-packed file that, on require, performs a hidden...

Malicious code in @antoncarlos1/nodelamp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d930df8b6392b3bbfe3b591d90226374d31fb246e06018521f3f673a815b618a @antoncarlos1/[email protected] ships a single obfuscated index.js that runs a dropper on require. The top-level IIFE constructs a hardcoded IPv4 URL by...

Malicious code in chai-assert-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72 Package name and metadata impersonate the 'chai' assertion library reuses chai's contributors, description, and a 'chaiassert.com' homepage, but the...

Malicious code in chai-as-attested (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88e27467366a90f482eb47476458b1f74d5a41ac63371572e527f2e60e4e0b51 Package impersonates a pino-style logger exports module.exports.pino, ships pino-like DEFAULTLEVELS, keywords fast/logger/stream/json but the exporte...

Malicious code in chai-as-uphelded (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa7f5470790594e55393048fee0e7a9e6e6650776a06717258e410292d4dc8a9 Package name impersonates the popular chai-as-promised library, but its package.json description and keywords masquerade as a pino-style logger and a...

Malicious code in new-mjs-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...

Malicious code in mjs-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6 The package is published as 'mjs-eslint' but its description, file layout big.js, big.mjs, and source are a verbatim copy of the legitimate big.js...

Malicious code in new-eslint-1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38 Package is published as 'new-eslint-1' but its package.json description, README, repository URL MikeMcl/big.js, and source are a verbatim copy of...

Malicious code in new-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25 Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in...

Malicious code in new-ts-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3721ae4cecdfa22793382d07d28a25ba5fabd54ac405cb94e642a1f96faee80 index.js imports childprocess and at lines 101 and 117 invokes execSync to run bash and zsh commands. Lines 9, 194, and 195 use Buffer.from...,...

Malicious code in chai-as-forgeted (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020 Package name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the...

Malicious code in fastercoding (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9dd11cd3c57bf0f46158fd84d7243184d4bd5780e17f49d90f1721e6d0a8f8a1 The package contains code to download and run a malicious executable. The executable contains a remote access trojan controlled via Telegram bot, with...

Malicious code in fastercode (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1c2793304d30de27278e36f79685e9ca60f9f839d7a27d2ea39d8d22e36a8584 The package contains code to download and run a malicious executable. The executable contains a remote access trojan controlled via Telegram bot, with...

Malicious code in shoaib-done-pack (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 cb99b328c44c010aba41a43c575c7f0832966f8d368e15d871b012bdcb58313f Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in ts-esys (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3cfd9a57243111f1df0cde9d2fca7698afc995009e1263fc8f1f203d49d53741 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in ts-ecro-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 14987516ff6ae873aab004fd8ca5410f176431d60469fb877e32b531dc3c6e53 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in mongoose-jsonify (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5d9b010d0799f79de51f4bdb82f4b06fca470fac0088ecb5744e3ac113afc37c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in assert-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a42618d9b7dbd1c89448d216bbe53a557d2a1e95064936fcafe9ffece01c61a9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in eth-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 25c797954fc796493e459a69efde378ef04874f43e7c5570c12e9b8463688807 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in ethereum-gas-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3cd0641649818b1cd2cb72a1fbbf4cd8dffdb5f154b281c04a37d5b60abac921 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in build-tracker-n5p1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619 Package name suggests build telemetry tooling, but the tarball ships beacon scripts beacon18.js, beaconlinux.js wired to a postinstall lifecycle hook...

Malicious code in ts-big-ecro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09cc5687efdad86354f994af9fa7d7c28fbc21d7b5b4558870aba1c05dcf425b ts-big-ecro is a verbatim copy of the legitimate big.js library MikeMcl/big.js v7.0.1 with its name, repository field, and copyright preserved to...

Malicious code in new-ecro-1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0c4e172aa83f2b8742fb014ea649490c87815573cab692ea74eb402ee23f935c Package new-ecro-1 impersonates the legitimate big.js library by shipping its source verbatim banner, license, and homepage pointing at MikeMcl/big.j...

Malicious code in new-ecro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7492a140547cea0957bc705d365e19806091462a249c3d5c90b6bfe91e8431c7 Package 'new-ecro' impersonates the legitimate 'big.js' library: it copies big.js's README, source, version banner 'big.js v7.0.1', author email, and...

Malicious code in node-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91f23a964fca4e1984aecce2dbc51fc6bfa1ffe77725ee5f0e8d2f7a5c5514d8 node-slot 1.0.7 contacts https://datasecure-service.vercel.app/api/v1 to retrieve scan and block patterns, then walks the user's home directory or...

Malicious code in ordered-btree (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a7b579313f4d78d1b99c88ed3fc22c295458981099a80f09f8408ca2bbb2ac4 Package impersonates the legitimate sorted-btree library matching name, README, and attributed author and ships a hidden remote-code-execution payloa...

Malicious code in @mep-exp/api-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 322089c1a58142401c82621aa778cdb7221086196cce6c879a703625b7013555 preinstall.js, registered as scripts.preinstall and also required from the main module and every bin entry, collects os.hostname, os.userInfo.usernam...

Malicious code in @qlab/component-intelligence (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9ad49caeee790003270d74c5b17a58d0cef6f04d881efe83b0f6c7e11515e934 package.json declares a preinstall hook "preinstall": "node index.js" that fires automatically on npm install. index.js requires os, dns, https,...

Malicious code in nodepathbalance54 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5ade836e7f92049242a01dbc0782900900c4e28eb7e08f9d9ebc611aab80762 nodepathbalance54 exports a single function nodeaxionweb whose implementation is hidden inside a hand-rolled stack-based JavaScript VM in index.js...

Malicious code in conversa-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector baaff1de63d44fd5f6b4fb1c5d3ebb4e9509d7581ff9afa5f339acad8f57aed0 On npm install, postinstall.js unconditionally reads the installer's /.npmrc which typically contains //registry.npmjs.org/:authToken=... along with...

Malicious code in electron-internal-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef On npm install, package.json's postinstall script executes curl http://9ph8dp.ceye.io, an out-of-band DNS/HTTP interaction service controlled by the...

Malicious code in eyee (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 743696e9409c97e89816b050f0346b86446464fdbaeead6ae49ddabf50a082ba On require/run, eyee auto-executes main package.json sets main=cdpinject.js and the bottom of the file invokes main unless --stop/--detach is passed...

Malicious code in portloop (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e745a79c5fb952105d93cc5d5f37bc77af9cc08d9a021f09a12d26416a29de3c On default invocation e.g., npx portloop with no flags, the CLI runs in daemon+quiet+respawn mode and POSTs id, hostname, host, url, port, user to a...

Malicious code in ts-linter-builders (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22153f1e71ba9fb51ce22d5fc57180ce4d8998995fbc4bd554d6dd532c195b6 index.js imports childprocess and contains a hardcoded outbound POST to https://tg-wallet-manager.vercel.app, with additional fetch calls to the same...

Malicious code in eslint-helper-1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfadd6e70cf70ee03d7aae8bfcaa916d29073c5e09ca614bfcb4538c3efc1832 Package masquerades as an ESLint helper but contains code in index.js that decodes base64 blobs through Buffer.from..., 'base64'.toString and pipes t...

Malicious code in mjs-eslint-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3320fa37492448acdf24a86f8a8735a3fc4d3b329ad156e299a8089df39e2f28 The package decodes base64 string literals via Buffer.from..., 'base64'.toString and pipes the resulting content into execSync'bash...' and...

Malicious code in eslint-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5802f88a31cfb1c54196395aa04377de1c98657cdd78f59e4a595f2913239301 Package masquerades as an ESLint utility but contains no lint-related code. The exported fromstr recursively walks process.cwd searching for...

Malicious code in fluent-panel-metrics (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95598f66d3e0a4ecbfe9dcd01c1d5f0be9b78bee23b200758a92dac8f8a00d9e fluentpanelmetrics/init.py defines bootstrapruntimeprofile and invokes it unconditionally at module load. The function opens a TCP socket to the...

Malicious code in node-vfs-polyfill (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fb213e524ed75dcb54961d6d2ee9431ea6a32f4fdcb9d777bc260102920d81b On install, postinstall.js executes automatically and exfiltrates host reconnaissance data to attacker-controlled subdomains on oastify.com Burp...

Malicious code in db-connector-log (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6828cdaf9f4280f7739fd6f5a838a63ea7bc8f7bb0c94eec52fb881c2701c724 The package impersonates the legitimate dx-db-connector the package.json repository field points at...