MAL-2026-4472 Malicious code in @zhengshuo888/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab On npm install, the package's postinstall hook runs node bin/huoke.js install-skill, which uses execSync to invoke curl -fsSL against...

Trust Boundary Violation

Overview Affected versions of this package are vulnerable to Trust Boundary Violation due to the Browse method using URLs provided through API responses from authenticated GitHub hosts when users execute gh commands. An attacker in control of a malicious GitHub server can execute arbitrary comman...

go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace

...

GHSA-55V3-XH23-96GH `auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace

Summary A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. Details go-gh sources authentication tokens from different environment variables depending on the host involved: - GITHUBTOKEN...

CVE-2024-53859

The CVE-2024-53859 issue affects the go-gh Go module used to interact with gh and GitHub, where auth.TokenForHost could pull a token from GITHUB_TOKEN (or GH_TOKEN) for non‑GitHub hosts when running in a codespace prior to version 2.11.1. In 2.11.1, token sourcing is restricted to GitHub.com or g...