108 matches found
CVE-2025-67727
Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permission...
CVE-2025-67727 Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management
Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permission...
CVE-2025-67727 Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management
Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permission...
MAL-2025-187017 Malicious code in fork-crust-filament-kardashevscale (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eacd2de681ec1c3e693bda71b1a50f3636b7bfc63e53f158913c115b5c5e658e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-177500 Malicious code in poglymer-ognamoh-afiaai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6afb2fa45285e7bca408bc4ca27e352a554d1564579c6d775ecfa75eea2b0f2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-158447 Malicious code in lookingan-nalako38 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 990de35ee357135d32f70c34d0634b86de15a13c657ad67b47c5b94bbbb2458e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-142596 Malicious code in fork-run-script-json-bootstrap (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a487508b75acecea952348bb04e9172b5b203a5e9a7c982696c74b83d7457b0d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-144486 Malicious code in local-fork-postgres-html-webpack-plugin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a55b74dedb1f55e866a3e57ff1b1150151ebfce27b4a2d1e0fa1033db37c196 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-132417 Malicious code in cici-dradag80-sluey (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a2dfa35c1b9aef590b0e1de14e2244b9748a074366da50bdb170bc3e2f9116bf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-128332 Malicious code in loose_limpet_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c03971c914b9c10fc568d9d0164eca390e5e53b8908ee4194df7e637197d01a4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in gita-jengkol67-miaww (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d03fd4cf4fe20581142fec8ee2852e1d66a708a499de713d8a7f3a88173205d7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in hadianto-kue66-miaww (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 516d2d435823bab90868a648d291da4accd0e783073d6a39a6e1a5ba8068adc3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in putri-peyek37-breki (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4f55590c1df3fb9bb1c1d28bc4c827a7791b5a8bd8ef1288918f3ea54a194550 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-70500 Malicious code in secret-chocolate-haddock (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54d7bf5dcebb64a8d8783f6a1867987ed01f14577ada5e5c129f3c8bfd3e25fd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-51008 Malicious code in bayu-teh3-sluey (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64f9d3b52eda17ef9a03de3a2a2c4b1ff77b0aa060aef67973efe1fd9d61ca2d The package bayu-teh3-sluey was found to contain malicious code. This package appears to be part of the tea.xyz token reward campaign that flooded np...
Chasing One-Day Vulnerabilities across Open Source Forks
Tracking vulnerabilities inherited from third-party open-source components is a well-known challenge, often addressed by tracing the threads of dependency information. However, vulnerabilities can also propagate through forking: a repository forked after the introduction of a vulnerability, but...
Aether - Adaptive Exploit and Threat Hunting Engine for EVM-based Repositories
Aether is a Python-based framework for analyzing Solidity smart contracts, generating vulnerability findings, producing Foundry-based proof-of-concept PoC tests, and optionally validating those tests on mainnet forks. It combines static analysis, prompt-driven LLM analysis, and AI-ensemble...
EUVD-2021-9375
Malicious code in bioql PyPI...
CVE-2025-59416 The Scratch Channel forks can publish articles
The Scratch Channel is a news website. If the user makes a fork, they can change the admins and make an article. Since the API uses a POST request, it will make an article. This issue is fixed in v1.2...
CVE-2025-59416 The Scratch Channel forks can publish articles
The Scratch Channel is a news website. If the user makes a fork, they can change the admins and make an article. Since the API uses a POST request, it will make an article. This issue is fixed in v1.2...