226511 matches found
Malicious code in pkg-fallback (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c97ea590e70f499f40938e093cd6a09a13b95030872968b5d325fee8a595f31c Package advertises itself as a small string-manipulation library trim, case, pad, wrap but its install-time behavior is a dropper. package.json...
Malicious code in express-mocha-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01d87351be0d9f68d73ec05867e55fe5712d4885fa76c70c5ec9b003ef512825 [email protected] declares a postinstall lifecycle hook that loads the package's main module, which calls fetch against an anonymous...
Malicious code in @epic-common/observability-node (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73d7457ccefffe2de1f0464f21ac2eadfb981be593d2b34ceb0d5cde1174da0b Package targets the private @epic-common scope Epic Games and is published to the public npm registry as a dependency-confusion vehicle. On import of...
Malicious code in yandex-geobase (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f6219d513896736aee31ce33719d6ae2d1f5b03293ecdfe884d944bbb3eb99a [email protected] squats the internal-sounding name 'yandex-geobase' and ships a postinstall script that performs an HTTP GET to a hardcoded bare-...
Malicious code in react-wp-viewer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 443f37b7957fe3f1d4dd836b3a0e6eeddb513e334700e0c0a4616570071c13d8 react-wp-viewer 0.2.4 is a dependency-confusion package. Its postinstall hook performs an HTTP GET to a hardcoded bare-IP endpoint at...
Malicious code in date-uuid (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58dffbe61370f78deed5bacbc8f6bc46a8a989f03da218643a41b52ed025fa6a Package advertised as a UUIDv7 helper, but on require/import it auto-invokes extractDateISO in bootstrap.js, which reads README.md from process.cwd,...
Malicious code in eslint-commit-parser (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fc51e200a141d1dbbb4f7eb9e5e3dec18507572e5dc9562278713c554fad195 The package is published under the name eslint-commit-parser but its contents are a verbatim copy of the supertest HTTP-testing library — package.jso...
Malicious code in @uisp/utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e841054b9f1d1625077178da23e8096c345ff196851058742d4903747d1461ea Package published to the public npm registry under the @uisp scope at version 99.0.1 — the canonical dependency-confusion shape organization-matching...
Malicious code in rebrandly-domains-digger (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d1744d2a299b9ef0526f49b4b2297fcd6c72581c51a3359801db56318d8cfda The package declares a preinstall hook that runs node callback.js. On npm install, callback.js collects installer-side identifiers — os.hostname,...
Malicious code in rebrandly-domains-search-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d4464320c8530d582d35f85ce95045182d82e1dd63a830644bcb68f05bdf10e Package [email protected] is an empty module index.js exports an empty object whose package.json preinstall hook runs node...
Malicious code in ulid-xyz (npm)
ulid-xyz is a typosquat of the popular ulid library sortable unique IDs and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline node -e guard that checks for the existence of a dist file, but it actually launch...
Malicious code in @digitalcnzz/embedded-sdk (npm)
This npm package is purpose-built malware that exfiltrates host information and environment secrets. It runs as a postinstall hook the keyword "postinstall" is obfuscated in the code and bails immediately if npmpackagename is unset, confirming it only fires during npm install. After a randomized...
Malicious code in @digitalcnzz/commonmodule (npm)
This npm package is purpose-built malware that exfiltrates host information and environment secrets. It runs as a postinstall hook the keyword "postinstall" is obfuscated in the code and bails immediately if npmpackagename is unset, confirming it only fires during npm install. After a randomized...
Malicious code in @longzy/react-native-polyfill (npm)
This npm package is purpose-built malware that exfiltrates host information and environment secrets. It runs as a postinstall hook the keyword "postinstall" is obfuscated in the code and bails immediately if npmpackagename is unset, confirming it only fires during npm install. After a randomized...
Malicious code in @sailing-package/core (npm)
This npm package is purpose-built malware that exfiltrates host information and environment secrets. It runs as a postinstall hook the keyword "postinstall" is obfuscated in the code and bails immediately if npmpackagename is unset, confirming it only fires during npm install. After a randomized...
Malicious code in skillspector (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c77584b4e40db9023ca0b8a90fa1bd611c859ed486f99ca3a7c9a83dbfa9877 This package presents itself as a redistribution of NVIDIA/skillspector pyproject Homepage points to github.com/NVIDIA/skillspector and the source...
Malicious code in tdata-grabber (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b4c3b37df5e3d08d7bc6ad736e0231ed0dc655640ffdf0dc403f4029ace2787 Package name explicitly declares its purpose as harvesting Telegram Desktop session data tdata directory. The tdata folder contains live authenticate...
Malicious code in lc-chatbot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81ca324fdc9c4ba5536abcd43972f1a506f4af99ace29447b66a17947b1b8606 package.json declares both preinstall and postinstall scripts that run node callback.js, so the callback fires automatically on npm install with no...
Malicious code in fsociety-tools (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88731d75288f663967fc64dde12b04eb43a2eb3d4113486bf35b1cf3d89ae537 On import, fsocietytools/init.py loads tokens.py, which at module load time instantiates TokenManager. The constructor concatenates eight large strin...
Malicious code in polymarket-clob-math (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d67023e54ba355e9c82fd2a05d2d2448657a3ea9415ff18d3c4669a9fc0afb42 [email protected] ships a postinstall lifecycle script that performs an install-time remote-code-execution drop. On npm install, the script...
Malicious code in livekit-agents (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5abf921f58c69745fee91e812853b493a282f3d42f55db38516ba54b827ea35b The unscoped npm package livekit-agents advertises itself in README as the official LiveKit Agents SDK and links to livekit.io documentation, but the...
Malicious code in pkg-fallback (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f4ccaa9f059318782cd3b811f5bd6ea926e267e4b05dc4971d6acc6687d5d4f setup.py performs an unconditional urllib.request.urlopen at install time to a hardcoded plaintext bare-IP endpoint...
Malicious code in @k18n/creatormarketplace-admin-language (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8 Package claims the @k18n npm scope used internally by Kuaishou and publishes at version 99.0.0 — the canonical high-version dependency-confusion shap...
Malicious code in insomnia-test-util-m4gester (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8 Package ships no functional code and exists solely to execute a shell command on npm install. The postinstall lifecycle hook runs echo PWNEDBYDEEPLIN...
Malicious code in insomnia-plugin-poc-m4gester (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0eb7024d158c345559d9f130ba3a6b52563328467ec6bb560e196e5c7bc9b955 package.json declares a postinstall lifecycle hook that runs a shell command writing a marker file to /tmp on npm install "postinstall": "echo...
Malicious code in insomnia-plugin-poc-m4gester2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86 Package ships only a package.json with no plugin code, declaring a postinstall lifecycle script that runs echo PWNEDBYDEEPLINK /tmp/pwned.txt on ever...
Malicious code in anthropic-internal-tools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab3bb04aee6f5f1d8768b7fd2173cd7c0cac18b5d83d6a83cf2be96a7512d8f7 Package name impersonates the Anthropic namespace and ships a preinstall hook scripts.preinstall = 'node index.js' that executes on every npm install...
Malicious code in discord-token-generator (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebd016cfcb52b59c0141268099b96c1336a15ca1d0afce46f367c7fe376f57de discordtokengenerator/init.py imports tokens.py, which instantiates TokenManager at module load. The constructor calls notin, which concatenates eigh...
Malicious code in ts-ankle (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1695e2ffa9252abe1053fc13895a071bd87cb27eb009eeb2262aae1a27da4ea5 On npm install, [email protected] runs a postinstall hook node test.js that executes two hostile flows against the installer's machine without user...
Malicious code in ryan-pdf-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb [email protected] is an empty stub package index.js exports whose sole purpose is to deliver an off-registry payload at install time. Its package.js...
Malicious code in react-editable-calendar (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f On npm install, the package's preinstall hook runs node dist/index.d.js. That file base64-decodes a payload which fetches JavaScript from...
Malicious code in crossmint-wallets-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dd4caebfba35b43bf10f156fe687f455e95b09a514b8644fe1a900b63f1bf78a Package name impersonates the Crossmint wallet SDK family. Both preinstall.js and index.js import childprocess, capture host identifiers hostname is...
Malicious code in chai-as-persisted (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709 The package's postinstall script npm run smoke:pino executes index.js, which spawns a detached node lib/initializeCaller.js child. That module hides...
Malicious code in @osmura/treeify (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4643c1f27e4916ea6090f1e6196c980fa1d65b96899a80b1f57633eaf16a61a9 The package republishes the upstream treeify library Luke Plaster, repo notatestuser/treeify verbatim under the unrelated @osmura scope, preserving t...
Malicious code in express-initial (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095 package.json declares "postinstall": "node index.js", so npm install express-initial automatically runs the package's main script. index.js is heavil...
Malicious code in db-query-log (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4928f7d380b79104d997e7666603726873158508c38d2c75a90c7529dd196be3 The package presents itself as a database query helper but index.js defines a method queryDBConnect that base64-decodes a hardcoded URL pointing to...
Malicious code in db-rake (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5a0d966d760dca0783a79eb150639ccfaf01aac944481e793dbcb7d7669983c When a consumer imports db-rake and constructs any Model, the package's resetor method silently runs npm install db-dx-connector unpinned, no-save:...
Malicious code in db-plog (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 961a6a108104105727b81399e6a3a6d56636cb79ae8fbfbbc33528f90d890d99 On every Model instantiation — the package's documented primary API — dist/index.js executes execSync'npm install db-connector-log --no-warnings...
Malicious code in pdf-converter-pro (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0b3a5f6d1d39c20feca11d0129f0efa21bdf564586045555b756cc25bce73efc Package is advertised as a PDF converter but contains no PDF generation code. Its sole public method TXTtoPDFConverter.createpdftxtpath, pdfpath is...
Malicious code in @krentzen/buffer-reverse (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7b7fccd6dbb7ba8a92be0bcbb002f92c43ff0c5e4bb82666589834a7be69e6bf @krentzen/buffer-reverse impersonates the well-known buffer-reverse package it copies the legitimate author, repo URL, README, and the genuine 10-lin...
Malicious code in gptmini (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cb05abb3d36b111df4aa8fe044cbf05a431a0778e90d022e1621494c1506a171 On npm install, the package's preinstall lifecycle script preinstall.js, declared via scripts.preinstall "node preinstall.js" shells out with exec'cm...
Malicious code in disksweep (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31a2c10aba7f3468458529214868e2d8acd9717eb7985c47ab10cf4aed64f87c The package ships a 2.9 MB Windows PE32+ executable at bin/native/parser.node sha256 b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3...
Malicious code in @appupdate/cdn-sync (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 445a7b613694730e29915d732e3df0700d145622b279b62b0a141c76211e6f14 Package @appupdate/cdn-sync ships as a thin koffi wrapper around prebuilt Go cgo native libraries 12MB linux.so, 11MB darwin.dylib for x64/arm64. The...
Malicious code in react-dynamic-table-compenent (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c55ead8b66faca1e08b2babafa252da2371b535c010a5c14d8b0d0e2a44aadf8 Package name misspells 'component' as 'compenent', a one-letter typosquat of react-dynamic-table-component. The package's postinstall script runs nod...
Malicious code in chai-as-assured (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd28efd7a3d07f87ec22556cc25a8c07117fa4cdd237c6cb1db750c976a11836 chai-as-assured impersonates the popular chai-as-promised package matching README, author, and API surface. When the exported plugin function is...
Malicious code in xrblocks-remote-control (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e20199ccf4c5557bf9d6bd0f17f0f74b47aa54389f22247523fb9145ef29def Package xrblocks-remote-control ships a bin script that, when invoked including via npx or unintended resolution against the xrblocks name, POSTs the...
Malicious code in react-dynammic-table-component (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d47aff9bb18dcd61350fa86e19d97ddee5ee7c5bdf7f0adea4a685e89d58fa4f [email protected] declares a preinstall lifecycle script node dist/setup.js that runs automatically on npm install. The script...
Malicious code in @immobiliarelabs/backstage-plugin-gitlab-backend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 096fc86987f4a25a5fb6572968e0c7309d71ed3e6ab16c239427de98c7d30ae7 The package ships a binding.gyp at the package root whose contents use GYP command-expansion syntax !... inside its targets/sources fields. npm...
Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth-backend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dbe41ed7d4257171c43c1047d7fde036575b57305b26d18cec61d1f1a20d33b1 The package ships a binding.gyp at the package root containing GYP command-expansion syntax !... in its sources/targets configuration binding.gyp lin...
Malicious code in @immobiliarelabs/backstage-plugin-ldap-auth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e447b204a3dbe39ad2390ad721dfc14f32b64e2c27d8b4efaf99a27e9cde7b92 The package ships a binding.gyp at the tarball root that contains GYP command-expansion syntax !... / !@... in its sources/targets configuration...