→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
weekly
—
/wk
llm verdict
malicious 0.96
h-score
52
patterns
34
size
35.0 MB
versions
292
AUTO-PUBLISHED/kitchen-sink · 9/npm/
claws-code@0.8.6
by neunaha
Claws — Terminal Control Bridge for VS Code. One command to install.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
weekly
—
/wk
llm verdict
malicious 0.96
h-score
55
patterns
16
size
13.6 MB
versions
6
AUTO-PUBLISHED/npm/
@jacob-ebey/almostnode@0.4.0
by jacob-ebey
Node.js in your browser. Just like that.
steals →AI API keysChromium logins→ sends tohttps://github.com/macaly/almostnode.git
The Bold Reports by Syncfusion controls for JavaScript contains ReportViewer and ReportDesigner HTML5 and JavaScript reporting controls for enterprise web development
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
weekly
—
/wk
llm verdict
benign 0.85
h-score
75
patterns
4
size
2.7 MB
versions
2
AUTO-PUBLISHED/npm//MAL-2026-4399
@kedem/okdb@1.8.15
by kedemd
A fast, type-oriented database — strong consistency and rich indexing at the core, with sync, vector embeddings, full-text search, and AI tooling built in. Designed for the AI era.