Malicious packages

Malware feed

Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).

Recent advisories

2 total in maven · sorted newest first

MAL-2025-191470Malwaremavenorg.mvnpm:posthog-node
Nov 26, 2025
Malicious code in org.mvnpm:posthog-node (Maven)
1 compromised version
MAL-2025-2552Malwaremavenio.github.leetcrunch:scribejava-core
Mar 19, 2025
Malicious code in io.github.leetcrunch:scribejava-core (Maven)
1 compromised version