225917 matches found
Malicious code in secrets-manager-wrapper (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in @saif777/codemirror5 (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in @enterprise-core/auth-gateway-bridge (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in @omni-corp-infra/sso-bridge-core (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in @tech-global/internal-gateway-core (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in enterprise-auth-gateway-core (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in google-storage-cloud (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in internal-auth-provider (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in @internal-infra/core-sso-bridge (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in @corp-infra/sso-gateway-core (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
Malicious code in chai-as-char (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0beb7aa3057c2e6c31e9bb9074f8ac71d5b2ad3a9f65761c0131816ab4bdb8df The package chai-as-char was found to contain malicious code. Source: ghsa-malware e12e1d019bed1dd99212206b54a611003e75acc13943eb13c8ab63cd388adc83 A...
Malicious code in chai-as-redeployed (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e2e2a156e4adadf2466c1ce0f0501539ea4bb3306edd9b2c97109326a9f94f3a The package chai-as-redeployed was found to contain malicious code. Source: ghsa-malware...
Malicious code in nicegui (npm)
Malicious npm package published by threat actor "ryanmccollum1" typosquatting the popular Python NiceGUI framework. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...
Malicious code in period-newline (npm)
Malicious npm package published by threat actor "ryanmccollum1" impersonating a benign text-formatting utility. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...
Malicious code in redeem-onchain-sdk (npm)
redeem-onchain-sdk is a malicious npm package impersonating a Polymarket on-chain SDK. It collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and a month of git commit history, then ships everything over a raw TCP socket to an AWS-hosted C2. Two trigge...
Malicious code in @cap-js/sqlite (npm)
Supply chain compromise of legitimate SAP packages published by threat actor "[email protected]" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs 4.4 KB and execution.js 11.1 MB bundled in the tarball, with a preinstall hook of "node...
Malicious code in @cap-js/postgres (npm)
Supply chain compromise of legitimate SAP packages published by threat actor "[email protected]" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs 4.4 KB and execution.js 11.1 MB bundled in the tarball, with a preinstall hook of "node...
Malicious code in @cap-js/db-service (npm)
Supply chain compromise of legitimate SAP packages published by threat actor "[email protected]" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs 4.4 KB and execution.js 11.1 MB bundled in the tarball, with a preinstall hook of "node...
Malicious code in mbt (npm)
Supply chain compromise of legitimate SAP packages published by threat actor "[email protected]" impersonating SAP toolchain maintainers. All four compromised packages share the same fingerprint: setup.mjs 4.4 KB and execution.js 11.1 MB bundled in the tarball, with a preinstall hook of "node...
Malicious code in amazon-boto (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 649bb559f3078565515a9fee16dbe78e0d1b5575943cbaf020135f8e70e2f17d When using the package, the given AWS credentials are silently exfiltrated to a hardcoded location. This incarnation of the long-running campaign was first...
Malicious code in agents-a365-runtime (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-cloud-infrastructure-monitor (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-infra-final-escape (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-coredata-internal-service (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-infra-gcp-leak (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-internal-pki-trust-v5 (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-internal-auth-v3 (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-internal-telemetry-service (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-internal-pki-trust (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-pki-cert-validator (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in npm-global-util (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-infra-network-v2 (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-internal-pki-utils (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-infra-ultimate-bypass (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in apple-cktool-api-v2 (npm)
Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...
Malicious code in coinmate-typescript-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbfed1f09c009e285a20b7f2914257795846bf558a735467cb742ab4bc53165b The package coinmate-typescript-client was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in timenow-py (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 773fd03a72216bd0bb09449cddd181ae90da5d456b572592cd493bac39f356f4 During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
Malicious code in timenow (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 1f3a9539cc4ef3e4b515404ac4b13179d37a09923c8fd90a06f4b751ed397d9c During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
Malicious code in timemcp-utils (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 2370fd05b77259c6177d02a019d357a9e7773539588345fe4a5582a9582a1aa3 During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
Malicious code in timemcp190825790125120985125 (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 41257a3bb20b9b5ffdbeb3a610ddf2159902ebadf5550d87ec3024d880398568 During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
Malicious code in timemcp-client (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8e125c901115c73a3467acea1300ccc14f718459dbf54ad11a8baf7c39cc03d9 During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
Malicious code in coinmate-api (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8c8d1f75669f5e0386a83dad52d569b6711645921989cf520b3b15c59ec26424 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in core-roblox-utils (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 51e9fdba29b05ebf3bb0fb66dcf05dd021562b52449128a930f28ff073b4e1d7 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...
Malicious code in robase-start (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 827cc431e55560fd4944d6b7fa6c47e6adb5027a75fe949642630843b0c8702e During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...
Malicious code in robase-apis (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 953430b69a70b8a69dd00f87a8cf96f9b60eaf4dfdd70fd129ba5d2502612555 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...
Malicious code in sf-th-requests (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 3a4508be29963ffe0a2d8b245449cf80873bdd6037c226e94ff99d9937566c7d During import package exfiltrates the environment variables and cloud credentials/tokens to a hardcoded location. --- Category: MALICIOUS - The campaign has...
Malicious code in timestamp-py (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 d48be8ff856b19622d8bc8417db82b8752c41fb88aec5cd89d04bbee1bc729ef During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
Malicious code in timemcp-py (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 7811f1fb547708bc27c15d45ca610ab6c0b30189f111b09666b8933bd59ee754 During import, the package automatically downloads and executes code that first acts as an infostealer and then starts code acting as a RAT. It connects with a...
Malicious code in fetchapi-syncdata-pypi (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 d0dcf5bd5c71d077b3763c74d57d68d5517a2b5c5229fdd5bd6f7369cb2a0f49 The package contains code to download and start a malicious executable. It's masqueraded using name similar to Windows services. In analyzed versions, the code...
Malicious code in timemcp (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8be0be5130ca45aa72ebb49b748e71aaf6998f09229910884076b5abc6a70c39 During import, the package automatically downloads and executes code that first acts as an infostealer, and then starts code acting as a RAT. It connects with ...