Malicious packages
Malware feed
Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).
Recent advisories
240,070 total in npm · sorted newest first- Jun 9, 2026
Malicious code in shopify-app-bridge-internal (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @sourceflow-uk/sourceflow-tracker (npm)
1 compromised version
- Jun 9, 2026
Malicious code in ac_calendar_ts (npm)
1 compromised version
- Jun 9, 2026
Malicious code in ac_semantic-ui_ts (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @oplus/obus-web-sdk (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @oplus/obus-web-sdk-plugin-recovery (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @oplus/obus-core (npm)
1 compromised version
- Jun 9, 2026
Malicious code in comos-sdk (npm)
1 compromised version
- Jun 9, 2026
Malware in comos-sdk
1 compromised version
- Jun 9, 2026
Malicious code in @0xlr/sentry-web (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @0xlr/clerk-auth (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @0xlr/prisma-client-js (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @0xlr/vercel-analytics (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @0xlr/stripe-frontend (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @0xlr/stripe-checkout-js (npm)
1 compromised version
- Jun 9, 2026
Malicious code in ui-weave (npm)
1 compromised version
- Jun 9, 2026
Malware in ui-weave
1 compromised version
- Jun 9, 2026
Malicious code in @0xlr/supabase-db (npm)
1 compromised version
- Jun 9, 2026
Malicious code in kraken-ui (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @sflyinc-knapsack/shutterfly-react (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @open-banking/cabinet-providers (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in savant-listing (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in screenpipe-mcp-http (npm)
1 compromised version
- Jun 9, 2026
Malicious code in multica (npm)
1 compromised version
- Jun 9, 2026
Malicious code in create-docs-mcp (npm)
1 compromised version
- Jun 9, 2026
Malicious code in t-invest-mcp-server (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @sqlite-node/createsql (npm)
16 compromised versions
- Jun 9, 2026
Malicious code in @sql-access/nodesql (npm)
17 compromised versions
- Jun 9, 2026
Malicious code in hey-base32 (npm)
6 compromised versions
- Jun 9, 2026
Malicious code in @sql-trigger/nodesql (npm)
3 compromised versions
- Jun 9, 2026
Malicious code in kecak256 (npm)
4 compromised versions
- Jun 9, 2026
Malware in kecak256
1 compromised version
- Jun 9, 2026
Malicious code in enquriers (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in progerss-cli (npm)
1 compromised version
- Jun 9, 2026
Malware in progerss-cli
1 compromised version
- Jun 9, 2026
Malware in enquriers
1 compromised version
- Jun 9, 2026
Malware in xorma-js
1 compromised version
- Jun 9, 2026
Malware in clsx-js
1 compromised version
- Jun 9, 2026
Malicious code in @doaction/wasm-loader (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in @doaction/types (npm)
2 compromised versions
- Jun 9, 2026
Malware in @doaction/types
1 compromised version
- Jun 9, 2026
Malware in @doaction/wasm-loader
1 compromised version
- Jun 9, 2026
Malicious code in @doaction/systeminformation (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in @doaction/sudo-prompt (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in @doaction/storage (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in @doaction/signalhub (npm)
1 compromised version
- Jun 9, 2026
Malicious code in @doaction/rrweb-sdk (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in @doaction/pay (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in @doaction/mapstore (npm)
2 compromised versions
- Jun 9, 2026
Malicious code in @doaction/http (npm)
2 compromised versions
Page 60 of 4,802