Malicious packages
Malware feed
Every package version published with malicious code, federated from OSV.dev's MAL-* feed: GitHub malware advisories, Snyk, PyPI removed-malware, OSS-Fuzz, and others. These are not CVE-style vulnerabilities — they're intentionally malicious uploads (typosquats, compromised maintainer tokens, worm-style campaigns like Shai-Hulud).
Recent advisories
255,981 total · sorted newest first- Jun 29, 2026
Malicious code in @img-hls/vtt.js (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @hg-aka-prml/tapas-common (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @fed-sofia/jetify (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @e50/utils (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @druidsoft/botframework-directlinejs (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @ddh-libs/analytics (npm)
- Jun 29, 2026
Malicious code in @cxp-shared/string-utilities (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @contenteditor-shared/content-editor-common (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @content-editor/common (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @services-lib/application-http-client (npm)
- Jun 29, 2026
Malicious code in @sentryx-libraries/auth-interceptor (npm)
- Jun 29, 2026
Malicious code in @rmlibrary/formatting (npm)
- Jun 29, 2026
Malicious code in @reference-web/pmp-i18n (npm)
- Jun 29, 2026
Malicious code in @rakuten-rewards/messaging-sdk-js (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @rakuten-rewards/messaging-sdk (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @partner-apps/ui (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @multformats/multiaddr (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @live-backstage-im/communication-chat (npm)
1 compromised version
- Jun 29, 2026
Malicious code in ltididp1 (npm)
- Jun 29, 2026
Malicious code in alpine-csp (npm)
- Jun 29, 2026
Malicious code in @lexisnexisrisk/insider-threat-platform (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @huobi-ui/activity-components (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @gm-rvg/root-config (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @gallup/pc-utils (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @finantix/webcomponents (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @experian-shared/services (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @anna-money/anna-web-lib (npm)
1 compromised version
- Jun 29, 2026
Malicious code in gel-bootstrap (npm)
- Jun 29, 2026
Malicious code in @sumoinc/trashpanda (npm)
- Jun 29, 2026
Malicious code in wac-atl-context (npm)
1 compromised version
- Jun 29, 2026
Malicious code in rc-icon (npm)
- Jun 29, 2026
Malicious code in player-theming (npm)
- Jun 29, 2026
Malicious code in player-core-ui (npm)
- Jun 29, 2026
Malicious code in magwien.sys (npm)
- Jun 29, 2026
Malicious code in cmp-api-stub (npm)
1 compromised version
- Jun 29, 2026
Malicious code in cdocs-markdoc (npm)
- Jun 29, 2026
Malicious code in cdocs-data (npm)
- Jun 29, 2026
Malicious code in app-hotmart-blog-headless (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @shopbop/api-models (npm)
- Jun 29, 2026
Malicious code in @mcconnect/mcc-common-lib (npm)
- Jun 29, 2026
Malicious code in @grappi/automations (npm)
1 compromised version
- Jun 29, 2026
Malicious code in @gartnerx/gx-npm-messenger-util (npm)
- Jun 29, 2026
Malicious code in @bapiweb-ux/bapi-header (npm)
- Jun 29, 2026
Malicious code in pvd3 (npm)
2 compromised versions
- Jun 29, 2026
Malicious code in hrb-cas-auth-js (npm)
- Jun 29, 2026
Malicious code in @flipbit2-bb/scope-test (npm)
- Jun 29, 2026
Malicious code in clx-cookieparser (npm)
7 compromised versions
- Jun 29, 2026
Malicious code in bundrix (npm)
1 compromised version
- Jun 29, 2026
Malicious code in nhmpy (PyPI)
2 compromised versions
- Jun 29, 2026
Malicious code in mflux-streamlit (PyPI)
2 compromised versions
Page 84 of 5,120