Malicious packages
Malware feed
Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).
Recent advisories
255,886 total · sorted newest first- Jul 7, 2026
Malicious code in @inheritdoc/n (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @indriver-tools/whisperwind (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @housecallpro/marketing-site (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @gutierre0x80/ads.components.button (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @gs-select/savings-client-application (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @gs-select/client-sbl-application (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @gpbw-fcop-ui-packages/theme (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @frontembed/testtest (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @frontembed/lib (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @endurosat/stellar-ui (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @driivz/component-library (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @deathpoolxrs/dependency-confusion-poc (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @datatrain/passenger (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @dany47/csec-form-helpers (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @dany47/csec-crypto-utils (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @combinezone/theme (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @combinezone/core (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @cashback/postal-premium (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @cashback/how-it-works-widget (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @cashback/auth (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @buglab/pino-pretty-logger (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @bmg-web/bmg-styles (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @bmg-web/bmg-spinner (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @bmg-web/bmg-snackbar (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @bmg-web/bmg-review-basket (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @bmg-web/bmg-multiselect (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @bmg-web/bmg-key-value (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @bmg-web/bmg-core (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @athena-ui-components/utils (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @athena-ui-components/user-activity (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @athena-ui-components/pubsub-bridge (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @athena-ui-components/layout (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @athena-ui-components/lang (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @athena-ui-components/hooks (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @athena-ui-components/helpers (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @athena-ui-components/graceful-degradation (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @asurion-core/eventualize-react-b (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @asurion-core/eventualize-react- (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @apps-locations/events (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @apps-legacy-reports/events (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @applicationbuildingcenter/xcube-schema (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in @app-tray-ui/stencil-component (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @aoflcorp/freighter (npm)
1 compromised version
- Jul 7, 2026
Malicious code in @alphasedboy/game (npm)
3 compromised versions
- Jul 7, 2026
Malicious code in @2011-08-19/n (npm)
2 compromised versions
- Jul 7, 2026
Malicious code in zzzltestfoobarxyz (RubyGems)
2 compromised versions
- Jul 7, 2026
Malicious code in zzwmgweb02 (RubyGems)
1 compromised version
- Jul 7, 2026
Malicious code in zzwandtemp1778552518 (RubyGems)
2 compromised versions
- Jul 7, 2026
Malicious code in zzwandsxabc119 (RubyGems)
1 compromised version
- Jul 7, 2026
Malicious code in zztxtwtmp14 (RubyGems)
1 compromised version
Page 24 of 5,118