Malicious code in 0x2ai-ivo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e78c039ee7ad67b1a20ef30b37ce03178f6c2181b1e330db69e04dabd0a28686 On install, the postinstall script copies the package's payload/ tree CLAUDE.md,.claude/settings.json,.mcp.json, and several.cjs MCP scripts into the...

Malicious code in 0x2ai-demo8x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6 On npm install, scripts/postinstall.cjs copies the package's payload/ tree into INITCWD the consumer's project root using fs.cpSync,...

Malicious code in 0x2ai-demo1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fdc7c661d4867578d3dd920010bccc1e79fcae8753b5bf549f44ea8a45cde502 On npm install, scripts/postinstall.cjs runs fs.cpSyncpayload, cwd, recursive: true with cwd=process.env.INITCWD || process.cwd — recursively writing...

Malicious code in 0x2ai-demo9x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e796c3398589b92ecd70f45bc41128101313dd07adeb0634199ac3fef59d19d On npm install, scripts/postinstall.cjs copies the package's payload/ tree into the installer's project root process.env.INITCWD without consent,...

Malicious code in 0x2ai-zoe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b On npm install, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INITCWD the directory the developer ran npm from, depositing...

Malicious code in backup-my-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6 The package's collect.js loads childprocess, fs, os, http and https, gathers host identifiers via os.hostname and os.homedir, enumerates filesystem...

Malicious code in clean-my-pc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6 The package's collect.js imports childprocess, fs, http, https, and os, gathers host identifiers via os.hostname and os.homedir, reads files from the...

Malicious code in sysbu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7d7e10321db9abd5e77b0f656d5fac237968ecd79c0ce409b58ee555fb5b236 Despite advertising itself as a 'System binary configuration tool', sysbu's index.js unconditionally invokes startApp on require/CLI execution. If...

Malicious code in sysau (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b2cf08a271605de33b2c202bb8a5a6689251e9a4711a628a88c57ebf0ec4f07 On install/load, index.js auto-runs a bootstrap that silently installs Python 3.12 via winget, falling back to a /quiet curl of python-3.12.3-amd64.e...

Malicious code in sysnu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eac9873e59ffdf79c56fd4f9366b56e0532f87dc00c4380fae18d714785b0bc8 On require / CLI invocation, sysnu performs two install-time-equivalent actions on Windows hosts. First, if python is not on PATH, index.js lines 42-...

Malicious code in coderzero (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0bd26d5ae306572deded5926f2a32dd34de72377da3363cafc4c4026b9c5a93d When a user runs the coderzero CLI, the bundled Python client client/noderzero.py starts a clipboard monitor that polls pyperclip.paste every 300ms a...

Malicious code in gpt-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9bdc5e04979d5b4f73407bcedaecc9df24dbb03e0bfbc0edefe333023dc50c On npm install, postinstall.js runs unconditionally and collects a wide range of installer-side reconnaissance data: hostname and FQDN, contents of...

Malicious code in telebot-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d3c49bb558149b55f90b708ff47e24f6f856a88abb4b2ed477633c3df43d4e2 The package advertises itself as a configurable Telegram bot server README and.env.example reference TELEGRAMBOTTOKEN and ALLOWEDUSERIDS, but the cod...

Malicious code in twilio-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...

Malicious code in vite-tsconfig (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c Package impersonates the popular tsconfig-paths library description: 'Load node modules according to tsconfig paths' but ships a hidden...

Malicious code in ai-sdk-helpers (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 501daa3c8b2c9c2609dc60fd90ae59710a603ae56fa5dcc867d24913889c5413 [email protected] is a typosquat impersonating the Vercel AI SDK ecosystem homepage ai-sdk.guide, author 'AI SDK Guide '. On npm install,...

Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

Malicious code in web-pool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2b1d78cd3ff0c5eeead299eb670d299590b48a453c9416ae2a692bc4173737c Requiring web-pool triggers middleware to spawn a detached node lib/initializeCaller.js. That script base64-decodes a hardcoded endpoint...

Malicious code in sendgrid-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08f1d48bc557c6afa69c74455fe35f34ed0992082dc30fc09d032523d2329f63 Package impersonates the official SendGrid npm packages @sendgrid/ but ships no SDK functionality — index.js exports an empty object. Its sole purpos...

Malicious code in webpack-cache-cycle (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81 On npm install, package.json's postinstall hook runs node -e "require'./loader.js'". loader.js spawns a detached node process that decodes a...

Malicious code in webpack-patch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0f5ce3525e99528190ba5217a777184e302d46050fc23bef173de6fda240eba Package impersonates the webpack ecosystem but is unrelated to webpack. When the exported middleware is invoked, index.js spawns a detached node...

Malicious code in webpack-cache-clean (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9 On npm install, the package runs a postinstall hook node -e "require'./loader.js'" that spawns a detached child process. The child decodes an...

Malicious code in webpack-cache-reset (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fee0027f45dd4846b52b99120af39a0bca88f8693047612e946cd8d816f36e6c On npm install, the package's postinstall hook runs loader.js, which hex-decodes the URL https://jsonkeeper.com/b/INN1F an anonymous JSON paste host,...

Malicious code in wp-env (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec2e092036cea9a9b2563e18b3d588ab046800c2160fb820081423b909066759 Package squats the wp-env CLI name commonly invoked as npx wp-env by users intending @wordpress/env. The package ships only bin/run.js declared main:...

Malicious code in @bestlzk/sectest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0cfce552ac72417ec7db2c48e0e13b1d060007167e82bd0f9b10799efe85e7f4 On npm install, postinstall.js collects platform, Node version, current working directory, and OS username, then POSTs them as JSON to...

Malicious code in @tonsdk/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9a9a70e3d8b322df960cb96b195f74693eb4d2ea284680e4cfb41a33f1848f8 @tonsdk/core impersonates the legitimate @ton/core TON blockchain SDK. On npm install, scripts/postinstall.js executes automatically and performs two...

Malicious code in js-crypto-promise (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f The package's prepinstall.js script base64-decodes a hidden URL stored in a constant misleadingly named HASHKEY decoding to...

Malicious code in @sentry-internal-sdk/profiling-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7951165844874f57819b0d63b8c8511e4e9217bf0f9231ec02f06cb6e059c47 Package name @sentry-internal-sdk/profiling-node impersonates the legitimate @sentry/profiling-node Sentry publishes under the @sentry org; no...

Malicious code in forge-jsx2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ce40276c3c58337b7db3272f89e0716b017b4d63bfa625b8757b9d1969ec9f9 The package masquerades as an 'Autodesk Forge' integration but ships no Forge API code. On npm install, scripts/postinstall-agent.mjs materializes a...

Malicious code in nim-submit-for-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2bf75301042574897cc2f4bd8f3b8939fe4ac7a958f2cfe2404bbbee149797d0 On npm install, the package's postinstall hook executes lib/compiler.js, which spawns a detached Node process that collects host identity hostname,...

Malicious code in @koadz/sso (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d284d5d0421ad906d63959ed4e0f3354106166311f4066ff794669f52d1eacfb package.json declares a postinstall hook that runs dist/index.js. The compiled bundle contains an appended payload absent from the index.ts source...

Malicious code in field-upload-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17402ad5019d1d433139ce2652d18d2493d87acfd1ede435a94c87eb421f25b1 On every npm install, the package's postinstall lifecycle script in package.json spawns a detached, unref'd Node process that decodes a base64-encode...

Malicious code in solana-rpc-pool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59e128b9efb48222aac63385175a13c182fc4f832f83576eb80f7777f255048c On npm install, the package's postinstall hook runs install.js which performs four independent attacker-benefit actions. 1 Credential theft: it reads...

Malicious code in spotify-url-resolver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7 On require'spotify-url-resolver', index.js line 21 invokes startBackupLoop at module top level. The loop zips process.cwd the installer's project roo...

Malicious code in testzapier (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f package.json declares a preinstall hook node index.js that fires automatically on npm install. index.js spawns a shell that runs curl -X POST against...

Malicious code in qa-handoff (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851 On npm install, the package automatically executes lib/setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that...

Malicious code in polymarket-clob-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a40eb434e89ad381733b42cb87bd88d0da0913520a210fd4f6da175e1a115f9f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in tailwind-dark-mode-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 05c8c711242c04547353cacb4860ee757d595ac459a6f8d7311d2c0827a6bc92 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in emittery_styled (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1f21dd8eb533d5ecf0c5123429a9cc453f24eb9426a6cfadcac5c2d299fa5a23 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in justgetit (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f6e3691bf83f31d1f1dd45e3224151455cbcf6b03acf1d50a25a96eb69ef3065 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @403name/electron-buidler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4 On require, index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in...

Malicious code in @403name/fsevent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb On require, index.js runs an IIFE that gates to macOS, skips when CI or GITHUBACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at...

Malicious code in @403name/ether-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 927758f43d6eaa6514273bd8ab8f3559624055b9bbf8c9ef9a190b645c0a6eef On require'@403name/ether-js', index.js runs an IIFE that targets macOS only returns early on non-darwin and when CI/GITHUBACTIONS env vars are set,...

Malicious code in solana-dev-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 059c5a74392811a397d3868092b7bcc84fbfac9d2f3de1c69a6421cdf756b652 On npm install, the package's postinstall hook node install.js executes a multi-stage attack against the installer's machine. It reads...

Malicious code in sensivity (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ef8c17866ac1aee489e207f2a4cdb2eefbd17336edd0398b34c40ee5c69a8ef5 On require/import package main is launcher.js with no install hook, the package performs the following without consent: 1 Persistence — runs PowerShe...

Malicious code in solana-web3-community (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 202fa4daf22c4ecace931dfbdbeee6821fe42c14956d35c763c55051528dee12 Package masquerades as the official @solana/web3.js SDK name solana-web3-community, author 'Solana Labs Maintainers ', repository...

Malicious code in janus-flow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1 On npm install, the package's postinstall hook node postinstall.js 2/dev/null || true silently runs a credential harvester against the installer...

Malicious code in janus-ft (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f On npm install, the package's postinstall.js script harvests installer-side secrets and ships them to a hardcoded bare-IP C2 endpoint. Specifically, ...

Malicious code in @my_name_is_khn/express-security-tool-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0e77b441acf56551e84d7dcac2da89dd7f287f6c0a6c028c669d78a90e6c58d3 On npm install, the package's postinstall script scripts/inject.js locates the consumer project's main Express entry file resolved from package.json...

Malicious code in @my_name_is_khn/express-security-tool-v3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42987119346b57a7014465a5a7bec3c00d1928e7e41d999152aa4e2f814c298e On npm install, the package's postinstall runs scripts/inject.js, which walks up from the current working directory to locate the consumer project's...