@kvytech/medusa-plugin-product-reviews
MAL-2025-190746
npmmalware11/24/2025
Description
Malicious code in @kvytech/medusa-plugin-product-reviews (npm)
Indicators of Compromise
SHA256 Hashes (4)
abc7d22a0d7983f35edb450765f42de591e8883da0b9a6ed8b5f69b5f754c164
1e7d8c065be2eaeb4187aed0dbe61de9f0f0ee2b51d61330d9211866dff01504
46977680b8249c90d6c0054789dc0835e05c3030ca3670aa706b6265b5beb59d
5417b018a27faf8550b3f908ca2d3ef2a6f5be6c2bb78118c5e49255bdcea841
References (4)
https://github.com/advisories/GHSA-qjqx-mr3f-4f4vOSVhttps://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomainsOSVhttps://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attackOSVhttps://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromisedOSV
Details
Ecosystemnpm
Attack Typemalware
Published11/24/2025
Aliases
GHSA-qjqx-mr3f-4f4v
Quick Actions