-
Notifications
You must be signed in to change notification settings - Fork 119
Pull requests: ossf/malicious-packages
Author
Label
Projects
Milestones
Reviews
Assignee
Sort
Pull requests list
Malicious packages: npm @wagni_bot campaign — 25 crypto typosquats (postinstall SSH-key + wallet + env stealer, Telegram exfil)
#1365
opened Jul 9, 2026 by
akyroslabs
Contributor
Loading…
Malicious package: npm/antsrcsrctest (preinstall cloud-metadata + env stealer)
#1364
opened Jul 9, 2026 by
akyroslabs
Contributor
Loading…
Add OSV reports for 3 malicious npm packages
#1363
opened Jul 9, 2026 by
KunalSin9h
Contributor
Loading…
Add malicious package report for @injectivelabs/sdk-ts@1.20.21
#1362
opened Jul 9, 2026 by
r-bedekar
Loading…
Add OSV reports for 3 malicious npm packages
#1353
opened Jul 7, 2026 by
KunalSin9h
Contributor
Loading…
Add OSV reports for forge-jsx RAT campaign Wave 4 (npm: zredis-typed, pinokio-redis)
#1349
opened Jul 6, 2026 by
KunalSin9h
Contributor
Loading…
Add OSV reports for click2ai dependency-confusion campaign (npm, 14 packages)
#1348
opened Jul 6, 2026 by
KunalSin9h
Contributor
Loading…
Malicious package: npm/logger-daemon-regex (wallet/secret stealer + remote-control agent, fake Autodesk Forge)
#1347
opened Jul 5, 2026 by
akyroslabs
Contributor
Loading…
Malicious package: npm/fmt-date-lite (date-utility download-execute dropper)
#1345
opened Jul 5, 2026 by
akyroslabs
Contributor
Loading…
fix: recursively merge and deduplicate database_specific maps and arrays
#1317
opened Jun 17, 2026 by
jeffrey-theog06
Loading…
Add initial malosv command for managing the repo.
#1306
opened Jun 11, 2026 by
calebbrown
Contributor
Loading…
fix: scope @browserbasehq/* advisories to only compromised versions
#1139
opened Feb 21, 2026 by
shrey150
Loading…
ProTip!
What’s not been updated in a month: updated:<2026-06-10.