Lucene search
K

41 matches found

Snyk
Snyk
added 2026/05/13 3:57 p.m.10 views

Malicious Package

Overview github.com/BufferZoneCorp/go-weather-sdk is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:57 p.m.9 views

Malicious Package

Overview github.com/BufferZoneCorp/go-retryablehttp is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:57 p.m.8 views

Malicious Package

Overview github.com/BufferZoneCorp/go-metrics-sdk is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a...

9.8CVSS6AI score
Exploits0References2
OSV
OSV
added 2026/05/07 12:52 a.m.26 views

GHSA-W37P-236H-PFX3 Compromise of PyTorch Lightning PyPi Package Versions

Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions Published: 2026-04-30 Last Updated: 2026-05-12 Github Advisory: CVE-2026-44484 We have identified a security incident affecting certain versions of one of our PyPI packages. What happened We have determined that one or more...

9.8CVSS5.9AI score0.00392EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/07 12:52 a.m.12 views

Compromise of PyTorch Lightning PyPi Package Versions

Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions Published: 2026-04-30 Last Updated: 2026-05-12 Github Advisory: CVE-2026-44484 We have identified a security incident affecting certain versions of one of our PyPI packages. What happened We have determined that one or more...

9.8CVSS5.9AI score0.00392EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/30 4:53 p.m.8 views

MAL-2026-3201 Malicious code in lightning (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 703ac419d775488be137d7e01517d768da0b5581ab63338fb9523f2289f2b92c Versions 2.6.2, 2.6.3 were compromised. Compromised versions contain injected code that starts automatically during importing the module, downloads legitimate...

5.5AI score
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/02 6:36 p.m.7 views

Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Impact A supply chain attack on the axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency [email protected] that deploys a cross-platform remote access trojan RAT on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm...

6.1AI score
Exploits0References9Affected Software1
OSV
OSV
added 2026/04/02 6:34 p.m.5 views

GHSA-658G-P7JG-WX5G Axios npm Supply Chain Incident Impacting @usebruno/cli

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

9.8CVSS5.9AI score0.00234EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/03/26 4:0 a.m.10 views

Malicious code in aquasecurityofficial.trivy-vulnerability-scanner (VSCode:https://open-vsx.org)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security b6cab1dae06f51e2aaa57704d8374b6882440070d0796e7b719a85e6f803888b This extension is a compromised version of the offical Trivy VSCode extension available on the Microsoft Marketplace. Versions 1.8.11 and...

5.8AI score
Exploits0References1
Snyk
Snyk
added 2026/03/19 11:0 p.m.5 views

Embedded Malicious Code

Overview @emilgroup/commission-sdk is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2025/09/15 1:24 p.m.5 views

Embedded Malicious Code

Overview ng2-file-upload is an Angular file uploader Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a postinstall script called bundle.js that exfiltrates secrets from the affected user's accounts. These versions have been...

9.8CVSS7AI score
Exploits0References2
Snyk
Snyk
added 2025/09/15 7:39 a.m.3 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts, including credentials and API tokens. It also downloads malicious files and repackages them...

9.8CVSS7AI score
Exploits0References2
Snyk
Snyk
added 2025/09/15 7:39 a.m.3 views

Embedded Malicious Code

Overview @ctrl/shared-torrent is a package for shared types and interfaces between torrent clients Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts,...

9.8CVSS7AI score
Exploits0References2
The Hacker News
The Hacker News
added 2025/04/23 7:17 a.m.26 views

Ripple's xrpl.js npm Package Backdoored to Steal Private Keys in Major Supply Chain Attack

The Ripple cryptocurrency npm JavaScript library named xrpl.js has been compromised by unknown threat actors as part of a software supply chain attack designed to harvest and exfiltrate users' private keys. The malicious activity has been found to affect five different versions of the package:...

9.3CVSS6.6AI score0.00818EPSS
Exploits2
Vulnrichment
Vulnrichment
added 2025/04/22 8:39 p.m.12 views

CVE-2025-32965 Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2

xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. Version 2.14.2 is also malicious, though it is less likely t...

9.3CVSS6.8AI score0.00818EPSS
Exploits2References4
CVE
CVE
added 2025/04/22 8:39 p.m.1032 views

CVE-2025-32965

CVE-2025-32965 affects xrpl.js, a JavaScript/TypeScript API for the XRP Ledger. Versions 4.2.1–4.2.4 and 2.14.2 are compromised, containing malicious code designed to exfiltrate private keys. The High-risk impact includes potential key exposure and compromised confidentiality and integrity of aff...

9.3CVSS6.8AI score0.00818EPSS
Exploits2References4
Positive Technologies
Positive Technologies
added 2025/03/14 12:0 a.m.5 views

PT-2025-11328

Name of the Vulnerable Software and Affected Versions tj-actions changed-files versions prior to 46.0.1 Description A supply chain compromise occurred in the tj-actions/changed-files GitHub Action, affecting over 23,000 repositories. A threat actor compromised a bot account and injected malicious...

8.6CVSS7.7AI score0.41008EPSS
Exploits2References333
The Hacker News
The Hacker News
added 2024/12/07 10:54 a.m.6 views

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence AI library named ultralytics were compromised to deliver a cryptocurrency miner. The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index...

7.9AI score
Exploits0
Vulnrichment
Vulnrichment
added 2023/05/03 12:0 a.m.6 views

CVE-2023-1178

An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a...

5.7CVSS5.3AI score0.00894EPSS
Exploits0References3
Rapid7 Blog
Rapid7 Blog
added 2021/11/05 5:1 p.m.29 views

New NPM library hijacks (coa and rc)

On Thursday, November 4, 2021, barely more than a week after ua-parser-js was hijacked, another popular NPM library called coa Command-Option-Argument, which is used in React packages around the world, was hijacked to distribute credential-stealing malware. The developer community noticed somethi...

6.7AI score
Exploits0
Rows per page
Query Builder