Malicious packages
Malware feed
Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).
Recent advisories
240,064 total in npm · sorted newest first- May 16, 2022
Malicious code in eslint-plugin-kavak (npm)
- May 16, 2022
Malware in eslint-plugin-kavak
1 compromised version
- May 13, 2022
Malicious code in personal-colorss (npm)
- May 13, 2022
Malware in personal-colorss
1 compromised version
- May 11, 2022
Malicious code in jquerry (npm)
- May 11, 2022
Malware in jquerry
1 compromised version
- May 9, 2022
Malicious code in opsie (npm)
- May 9, 2022
Malware in opsie
1 compromised version
- Jan 3, 2022
Malicious code in bootstrap-feature (npm)
- Dec 27, 2021
Malicious code in lib-bb-html-sanitizer (npm)
- Dec 27, 2021
Malicious code in cxp-jquery (npm)
- Dec 24, 2021
Malicious code in digital-marketing-client (npm)
- Dec 24, 2021
Malicious code in dbp-polyfills (npm)
- Nov 15, 2021
Malicious code in portal-shell (npm)
Page 4802 of 4,802