Malicious code in @my_name_is_khn/express-security-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6b7e17fc1e874d13547ace24c7b21593ce1eb13337d0d877a89c7a372974ee42 On npm install, the package's postinstall hook scripts/inject.js locates the installer's host project root, identifies the main entry file index.js,...

Malicious code in express-timer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683 express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on...

Malicious code in express-self-destruct2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c21246439a04267591c998594f92ac1267c86698f5dcc3463ad2cd932abb04dc On install, the package's postinstall hook scripts/inject.js locates the installer's project root and main entry from package.json or fallbacks...

Malicious code in express-self-destruct (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817 On npm install, the package's postinstall hook node scripts/inject.js walks up from the install directory to locate the consumer's project root and...

Malicious code in india-map-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a1de9d093e23698e3ad3f0336a7619bd43049d1f62b822744733a48060b51a4a package.json declares a postinstall hook that runs curl -skL...

Malicious code in @w2d/web-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b8292b80f3e692b249561a14d94d2dfa0196f2377e7eee027b8dd630d251bd1 The package targets the @w2d scope with an artificially high version 2.999.999 — the canonical dependency-confusion shape designed to outrank an...

Malicious code in jailbreak-code (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f729dde017c78154685be850893a9f3ebd58bf0b5cb1229e7e49fb09b14f5d5 The package presents itself as an AI developer CLI but is engineered as a credential and payment harvester. src/c2.ts hardcodes a Discord webhook URL...

Malicious code in acme-widget-layout-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ff800752007d4e55ddc8172e04c8d75ac04d61b499cc58d97f016cd34d70d6c4 On import, src/acmewidgetlayoututils/init.py executes a textbook reverse-shell pattern: it opens a TCP socket, duplicates the socket file descriptor...

Malicious code in pocteszep (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d The package's npm preinstall lifecycle script runs wget --quiet...

Malicious code in @monitoring-lib/error-tracking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d On npm install, the preinstall lifecycle hook in package.json runs a Node one-liner that reads the installer's hostname os.hostname and username...

Malicious code in mermaid-v11 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 416d5c5ab1bc70076021520f20e67c3c52a81b74832379e19012fa2f6526c469 The package impersonates the legitimate mermaid diagramming library name mermaid-v11, bogus version 9999.0.2, description 'Mermaid v11 diagramming...

Malicious code in @common-stack/generate-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b54a3dc296ec3f6dbded973e24aa9794b498cc1e8305fc3d1f88a4fdff7335df Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @entos-ems/xerxes-client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b On npm install, package.json's preinstall: node index.js hook fires automatically and runs a reconnaissance beacon. index.js collects host identifier...

Malicious code in hex-type (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7d0271fe97ea66e9ff2ba3a0ea225364324f28138af32c337d6ed8b2b99e5ad Package metadata description "A universally-unique, lexicographically-sortable, identifier generator", homepage github.com/ulid/javascript, build...

Malicious code in zer0onedate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 106494bfe4420962c30d8b3989a1397d197f277079c71b8d15695c9128d72399 On npm install, postinstall.js executes a chain of curl commands that read cloud instance metadata service IMDS endpoints — AWS...

Malicious code in zer0onedatetool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73fd05fda74bbf13c6275d4da0fa80fece821cad03fb2237ae74ed24309eab52 The postinstall lifecycle script in this package issues curl POST requests to a subdomain of oastify.com — the out-of-band callback domain operated b...

Malicious code in @thomlecter1122/lab-helper-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a The package ships a postinstall lifecycle script seccheck.js that fires automatically on npm install. The script first checks whether the host has a...

Malicious code in @coze-common/chat-area (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89b49d08422192fa57b4739bf462f0e8b3c206b2c3cfad15578ac92dd6f47b04 This package is a dependency-confusion/namespace-squat against ByteDance's @coze-common scope. The library is hollow — index.js is module.exports = a...

Malicious code in icinga (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d PyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real...

Malicious code in telegramlite (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 be464abbf0e3f375f4865ac2802a6b6d96e7af1ce30984d84f464470cdef17dd Package exfiltrates data from the Telegram application to a remote location, effectively collecting Telegram sessions. --- Category: MALICIOUS - The campaign h...

Malicious code in chai-check-error (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8 [email protected] impersonates the legitimate chaijs/check-error utility copied README, author metadata, repository URL, and exported API surfac...

Malicious code in check-error-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e On require/import, index.js executes a top-level resolveConfig that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it,...

Malicious code in websocket-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6 On npm install, this package runs node test.js via scripts.postinstall, which executes the logic in index.js. The postinstall behavior performs three...

Malicious code in @solana-labs/web3.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4 Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall node...

Malicious code in v018-axios-cdntest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67d30d2c9939173663f8ba1312b2591d2f86c67657bd5eeff59b19187f50b901 Package impersonates axios v0.18.0 index.js carries the genuine axios v0.18.0 | c 2018 by Matt Zabriskie header and sets window.axios=,...

Malicious code in @access-risk/browser-remedy-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0de4bc9f19feea718e091e9b0a480e9b939cdffa88109375020895c99efa489c On npm install, postinstall.js executes automatically and collects host identity and environment details using os.hostname, process.cwd, and filesyst...

Malicious code in @helpcentre/tesco-help (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eb75510e87a08a5152331461c2b2b955ad21d418c8d2055f5f66ec15e22cf042 On npm install, the postinstall hook runs node index.js, which performs an HTTPS POST to https://f1ackavab3.execute-api.eu-west-2.amazonaws.com/...

Malicious code in @orion-design-system/foundation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e7fdf1bb78d6c3750adffa854f5f08c7f2fd7af6166f7234aa5cbf4974a1375 The package's npm preinstall lifecycle script runs an inline node -e payload that collects the installer's hostname os.hostname and OS username...

Malicious code in @orion-design-system/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector edd5d007da2de0a07fc1a0d999cccbf71a748627c82c9b2000d161eb248a5a0f package.json declares a preinstall hook that runs an inline node -e script reading os.hostname and os.userInfo.username and transmitting them via HTT...

Malicious code in @orion-design-system/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2 package.json declares a preinstall script that runs on every npm install. The script uses node -e to require os and https, reads os.hostname and...

Malicious code in events-runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca Package name and description impersonate the popular events package Node's event emitter for all engines. The vendored events.js adds an undocumented...

Malicious code in firefly-utilities-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59 [email protected] ships an empty stub index.js: module.exports = ; with no description, author, or repository, but declares a single...

Malicious code in hello-dynamic (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 168dd7abca8ed812dcfb0119eaf80a2b05b186ee37a1e0c8f98e88f884a90602 Package attempts to test exploitation via legacy dependencylinks configuration --- Category: PROBABLYPENTEST - Packages looking like typical pentest packages,...

Malicious code in requests-toolbelt-plus (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae The package impersonates the popular requests-toolbelt library but ships an empty requeststoolbeltplus/init.py and places its real logic in setup.py...

Malicious code in yelp-react-component-chaos (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 711cd262cc670c0e66cf2878b6fa22db21a2e420313a58aa029cbc619f2b27cc On npm install, preinstall.js collects hostname, username, cwd, network interfaces, and the names of environment variables matching...

Malicious code in tailwind-animator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e9a1b7c3c3877a14abbea0abc4ee53a2d5d7207f7932141f428235c069285c0d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in crypto-promise-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00594a3ae015e55e13c94c904866eae7b86a39b904b2d79469c4b59508c3918f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in anaylze-json (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7a24ff6c7af790535067ae83e9bba9a3b741da26221ac8738911ed6a8fc0aa24 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in nw-demo-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f0c784f9f2bc00678e2648cce9c110ad5084c595b42f80e086bc8dbfbe034359 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @easytipsportal/pos-adapters (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2b3beea7d832b4efd2ebc9c3a8eb2ffe1507564985414f7cf399abbd8fc55bc6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in argoncrypt (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca59273c7d2b5b7797e301ab861354081dbbb6c47209858459be0ada49036167 On require, index.js spawns a detached, unref'd Node child running lib/initializeCaller.js. That file decodes a base64-disguised URL...

Malicious code in martinez-polygon-clipping-simul-dalton (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc17081752344fc57ebe6468de5909582aa81fb2957e605ee81aa46252150a0f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in npmjs_truffle-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 25fbc74fbe261cc7bba8c1f9005f7b7573aff1240a5ac8bbf831a3ce8a7c23e1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in solc-compiler (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6db07dc6d910303b81dcfab09279484fcfa83409addff755a29d58b1d0dff495 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in solc-abi (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5ecbb6619ae13314417faab35b315155c9a55f98dfdb707fe44edfe1f7e7356 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in npmjs_web3-common (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2b691e4c1a13cf8174fdf8653d757594f18057650310bc89e376caa806602d3b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in solidity-abi (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d00c844413b4c809e5d57d1952a17f67f2c72324fd379c91d5fdd8aa3fdd9da9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in plugin-fastify (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 85454b4f6eb05f7133937ef6acbdd16ae04b31aaf2b4806bdcac1d845fb80d6c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in graphbase-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bcdb883b3cbdcf4216f99f55d52d1b93db24271ddcf4a1e232f444a75709f76a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @validator-sdk/pubkey (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24ee16f71bbbbfbdf360c506e6ee4a19e6c60c374b8f30a3d2e255217ee96afb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...