254 matches found
Malicious code in brave-search-mcp-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d7d65e78a73a4cc2064d0ab9210a76c7c55f69553b70879dd649d7ad84e48dc0 The OpenSSF Package Analysis project identified 'brave-search-mcp-server' @ 1.0.0 npm as malicious. It is considered malicious because: - The...
MAL-2026-5097 Malicious code in cms-storehub (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dda5fa0b4771a3299568c8dd8d17d5663d9c8ae782b8c71f4a2baf0ce1f8e5ee Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @neon-i18n/core-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis dbdc5bd090d8e85771f77fa3a7a113e08fbfb31de54ae399ed92565bdac246df The OpenSSF Package Analysis project identified '@neon-i18n/core-ui' @ 99.99.99 npm as malicious. It is considered malicious because: - The...
MAL-2026-4839 Malicious code in hellowornd (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0e9b9637d126bc60120f015b0af88898fae5cf613a015fd572ab74d2554e6d7f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2026-4832 Malicious code in mse-authentication (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis a953627a77037de50d82384daca1d98d101c4c09b315ab91fd597a43557fbd99 The OpenSSF Package Analysis project identified 'mse-authentication' @ 99.0.1 npm as malicious. It is considered malicious because: - The packag...
Malicious code in @design-system-coopeuch/web (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a871445c3913d747a2f1383bcfdac02d6dec26ddb2053260340284cf4ee02233 Package @design-system-coopeuch/[email protected] is a dependency-confusion squat of an internal-looking scope, published at an inflated 999.x version to...
MAL-2026-3589 Malicious code in nextmove-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware df7f916a0e0b35995c3bb3ad68e6686d75a52472172d505eee44bf060e54c105 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
Spring Office Hours Podcast: S5E15 - Upgrading Spring and OSS Security
Join Dan Vega and DaShaun Carter for the latest updates from the Spring Ecosystem. In this episode, Dan and DaShaun tackle two challenges every Spring developer faces: keeping applications up to date and staying ahead of security vulnerabilities in open source dependencies. They explore how AI...
MAL-2026-3336 Malicious code in @channel_bot/xa0 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector af511b868a0f1a7152f2b73076b3741da38a5ec9f8b2652af8384ca1890d9372 The package @channelbot/xa0 was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3294 Malicious code in ally-allowlist (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a086e259ec0972dac4c5fa5c2e204b09c2158df4e01326321b84676837b85be9 The package ally-allowlist was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in @athena-portal/themes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9ceef23383971e2a8f5f8f790c03e71fe17b0a7fc7dee044e2fd39424ce20856 The package @athena-portal/themes was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3313 Malicious code in service-gateway (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0624202d6a746245b4be59c683dc5b0ca64a43bc9524db9388f9f0a7be45d57 The package service-gateway was found to contain malicious code. Source: ghsa-malware 0e3831827037ebf97303c3c075e47b0e1ece3d2c6b38ca75aa2b3d1f7d0a2f0...
security-advisories
Security Advisories Public write-ups and PoCs for CVEs I've d...
MAL-2026-3187 Malicious code in apple-appstore-full-library-utility (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c81abc0b0ca85dceebddbddb78e6e2d6d05f87331f11b9a1190ad29d10adb4a The package apple-appstore-full-library-utility was found to contain malicious code. Source: ghsa-malware...
MAL-2026-3189 Malicious code in react-video-canvas (npm)
Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...
MAL-2026-3140 Malicious code in fivem-monitor (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46a604a0acf84f672e7a3235e103f365f9d9f704c96faa12dcb5b9b0a9806004 The package fivem-monitor was found to contain malicious code. Source: ghsa-malware bea91e9a2c853e88f029684fb53cecc15f1960b1ccafb583b1da52a754f9ee4d...
Malicious code in @apiary-annex/title (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a21d55a19694bb77a748bff53e74597f9c1ed88df95f421975af40efe38a4183 The package @apiary-annex/title was found to contain malicious code. Source: ghsa-malware...
MAL-2026-3055 Malicious code in @apple-pay-trust/validate-merchant (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04e899c9f267696289778cbf0c2c4f8da289e47bb3bce95ffa4fa4e3fe290722 The package @apple-pay-trust/validate-merchant was found to contain malicious code. Source: ghsa-malware...
Malicious code in apollo-landing (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47cb6abcb11f6d62fb52ef331d93bf4c2d5faacb9a4f91386aa6fb06e03b7bef The package apollo-landing was found to contain malicious code. Source: ghsa-malware ed937449ad5ded3d0430063ec8da96faa5c685d89f612418710856e92d1b6438...