Malicious packages
Malware feed
Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).
Recent advisories
240,011 total in npm · sorted newest first- Jun 17, 2026
Malicious code in @mastra/s3 (npm)
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/fastembed (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/sentry
1 compromised version
- Jun 17, 2026
Malware in @mastra/fastembed
1 compromised version
- Jun 17, 2026
Malware in @mastra/s3
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/auth (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/auth
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/hono (npm)
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/datadog (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/datadog
1 compromised version
- Jun 17, 2026
Malware in @mastra/hono
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/editor (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/editor
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/otel-bridge (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/otel-bridge
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/dynamodb (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/dynamodb
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/duckdb (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/duckdb
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/schema-compat (npm)
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/evals (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/schema-compat
1 compromised version
- Jun 17, 2026
Malware in @mastra/evals
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/langfuse (npm)
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/ai-sdk (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/ai-sdk
1 compromised version
- Jun 17, 2026
Malware in @mastra/langfuse
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/pg (npm)
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/mcp (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/mcp
1 compromised version
- Jun 17, 2026
Malware in @mastra/pg
1 compromised version
- Jun 17, 2026
Malicious code in @mastra/libsql (npm)
1 compromised version
- Jun 17, 2026
Malware in @mastra/libsql
1 compromised version
- Jun 17, 2026
Malicious code in mastra (npm)
1 compromised version
- Jun 17, 2026
Malware in mastra
1 compromised version
- Jun 16, 2026
Malicious code in abuden21 (npm)
3 compromised versions
- Jun 16, 2026
Malicious code in speed4 (npm)
2 compromised versions
- Jun 16, 2026
Malware in internallib_v346
1 compromised version
- Jun 16, 2026
Malicious code in backoffice-charges-module (npm)
3 compromised versions
- Jun 16, 2026
Malicious code in bubblestr (npm)
1 compromised version
- Jun 16, 2026
Malicious code in tw-theme-kit (npm)
1 compromised version
- Jun 16, 2026
Malicious code in vite-config-field (npm)
6 compromised versions
- Jun 16, 2026
Malicious code in react-vite-assert (npm)
1 compromised version
- Jun 16, 2026
Malicious code in ssr-auth-sync (npm)
1 compromised version
- Jun 16, 2026
Malicious code in package-uploader (npm)
1 compromised version
- Jun 16, 2026
Malicious code in mci-sdk (npm)
6 compromised versions
- Jun 16, 2026
Malicious code in chai-test-mocks (npm)
1 compromised version
- Jun 16, 2026
Malicious code in aillmgen (npm)
1 compromised version
- Jun 16, 2026
Malicious code in @kalipto/local (npm)
4 compromised versions
- Jun 16, 2026
Malicious code in test-copppss (npm)
1 compromised version
Page 45 of 4,801