Malicious packages
Malware feed
Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).
Recent advisories
18 total in golang · sorted newest first- May 13, 2026
Malicious code in github.com/BufferZoneCorp/net-helper (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/log-core (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/grpc-client (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/go-weather-sdk (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/go-stdlog (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/go-stdlib-ext (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/go-retryablehttp (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/go-metrics-sdk (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/go-envconfig (Go)
- May 13, 2026
Malicious code in github.com/BufferZoneCorp/config-loader (Go)
- Mar 19, 2025
Malicious code in github.com/vainreboot/layout (Go)
- Mar 19, 2025
Malicious code in github.com/utilizedsun/layout (Go)
- Mar 19, 2025
Malicious code in github.com/thankfulmai/hypert (Go)
- Mar 19, 2025
Malicious code in github.com/shallowmulti/hypert (Go)
- Mar 19, 2025
Malicious code in github.com/shadowybulk/hypert (Go)
- Mar 19, 2025
Malicious code in github.com/ornatedoctrin/layout (Go)
- Mar 19, 2025
Malicious code in github.com/belatedplanet/hypert (Go)
- Mar 19, 2025
Malicious code in github.com/boltdb-go/bolt (Go)