Malicious packages
Malware feed
Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).
Recent advisories
4 total in composer · sorted newest first- May 13, 2026
Malicious code in intercom-php (Packagist)
1 compromised version
- May 7, 2026
Compromised tag of intercom-php published via GitHub
1 compromised version
- Oct 2, 2024
Zenario allows authenticated admin users to upload PDF files containing malicious code
1 compromised version
- Sep 10, 2021
Prevent installation typosquatting malware
1 compromised version