MAL-2026-5999 Malicious code in @mastra/auth-auth0 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b0fbe96c59a0cfac17ddbee22541fc2ba13a1ef82c91d75bc4b202c66aec4e4d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-6028 Malicious code in @mastra/memory (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 92f78b0ff07c91489b166d3ba2d6d7405f35c26a8ba156d4f920d5595c3d0f67 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-6007 Malicious code in @mastra/client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 22551bc03157cad1fefb8af44f3b14c9fe9e892c083eb904e512007015e72f9f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/deployer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cbd99dea462f2f28099ae0f57cd6c89edd76f08476cd9a6265b1c23defcd2b23 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in cryptodao-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b5f3b7ec6eecce3d891664f33660a1c612cdd3c6ac99ba52633ef77a2df543c On npm install, the postinstall hook runs node recon.js, which harvests installer-side secrets and POSTs them over HTTPS with TLS certificate...

Malicious code in cryptodao-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 03ac58e81310f19b32d136445eab91f7ddc776921ff8dfd08bdb91bcdd4a1da6 [email protected] ships a postinstall script recon.js that runs automatically on npm install and harvests installer-side secrets. The script...

MAL-2026-5961 Malicious code in @mastra/rag (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e9608d74e59d524d1052f6b05c8fba2b9d181452f28a012785eb80cb6764abe3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/fastembed (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c0da5948a94944695bcec24b99ac8a6b9ae7f5f31e8407f8c731379a6fda79c6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/datadog (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 419bbaa0a59a504f999013baee0011006c5cc6326045c0424705d91d3ac10c75 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d15cb5bd62365f9e834fc44ed65e0db2c34aae555a5068c706cc9de0567a5fc0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/otel-bridge (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 713aa738c88e89dcf078ff056e40389e2e9dc23573efcd4e3eed73533a730d28 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5945 Malicious code in @mastra/dynamodb (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 88f1c319acc4591df560a402378efa8b10499f62c6014e785c983eed9c256a87 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5954 Malicious code in @mastra/libsql (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ae3d2946dd7a5ef81d52da321aac5fce8fe40c59a844491d6e6a07c1c84b08ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5965 Malicious code in mastra (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 177b60c8d45a21867d69c269f21c334505b8c0298b497cbed321d403be4311f7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5936 Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

CVE-2026-0148

In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-53864

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...

CVE-2026-53843

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation...

CVE-2026-0160

The vulnerability CVE-2026-0160 affects the TextRtpPayloadDecoderNode, specifically in DecodeT140 of TextRtpPayloadDecoderNode.cpp. It is caused by a missing bounds check that can result in an out-of-bounds write. The documented impact is remote code execution with no additional privileges requir...

CVE-2026-53843

OpenClaw prior to 2026.5.26 contains an authorization bypass where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and al...