MAL-2023-1142 Malicious code in commentrating (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 87db588ebd8e7a42cbbbbf7fc21caa36fc553172a0ff4c4e9a58ce9354d62e7f The OpenSSF Package Analysis project identified 'commentrating' @ 99.9.1 npm as malicious. It is considered malicious because: - The package...

MAL-2023-1278 Malicious code in rb-notification-banner (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis faed09cda269c58908aa898798259bd292fcce98a8f5a60f486a4c26bb84d15a The OpenSSF Package Analysis project identified 'rb-notification-banner' @ 1.0.0 npm as malicious. It is considered malicious because: - The...

MAL-2023-1163 Malicious code in donuts.node-build (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 6b8d6fee5827de9688cc9b83812dc32e54e33531a0bd2fd179dc3e2935564dc7 The OpenSSF Package Analysis project identified 'donuts.node-build' @ 99.99.104 npm as malicious. It is considered malicious because: - The...

MAL-2023-1161 Malicious code in documentation-ably-realtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3f6bf5586a7addf25073456bb7b754dafa5c124cc264cb37b2005088598555ee The OpenSSF Package Analysis project identified 'documentation-ably-realtime' @ 1.0.2 npm as malicious. It is considered malicious because: - Th...

MAL-2023-1228 Malicious code in links-3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 870f8306aa2e95828fa2fdd771044248f7d5e8e715304b6818773620e5c7a1b2 The OpenSSF Package Analysis project identified 'links-3' @ 9.0.1 npm as malicious. It is considered malicious because: - The package communicat...

MAL-2023-1422 Malicious code in yc-as-client (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 9df89f5f0260f38e93635cc5df99e7ea267d4c07f25e1446a49c08fdf21befe7 The OpenSSF Package Analysis project identified 'yc-as-client' @ 11.11.3 pypi as malicious. It is considered malicious because: - The package...

MAL-2023-3 Malicious code in @hyperion-util/script-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis fabcfd39cc4468aaddf92dd77dc548149fa6f7f8d09de7dc5af550bf8fbc2b81 The OpenSSF Package Analysis project identified '@hyperion-util/script-loader' @ 77.77.79 npm as malicious. It is considered malicious because: ...

MAL-2023-1283 Malicious code in redirect-support (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d6c36381ca8139def8823ca52a07b58b0dc131a8960f3deb17f749cbe3870794 The OpenSSF Package Analysis project identified 'redirect-support' @ 1.0.3 npm as malicious. It is considered malicious because: - The package...

MAL-2023-1279 Malicious code in react-div-100vh-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 9b9718c1f5170d44298bb0ef93d114e752ea42231e924e5c895add2f21e3c18a The OpenSSF Package Analysis project identified 'react-div-100vh-test' @ 9.0.0 npm as malicious. It is considered malicious because: - The packa...

MAL-2023-1238 Malicious code in mm-docs-v-2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis e164ce9b5bafc633c26d087af362bfe0ae909af588fc1b193b9c79f3b956c030 The OpenSSF Package Analysis project identified 'mm-docs-v-2' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

MAL-2023-815 Malicious code in status-proxy (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b10a602645ddd4d227f1c552a8c7102f15fae01c77fc2fd672ed3304d49e76c9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-616 Malicious code in nayduck (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cb0f8f1fb55d7c0ab3534b324088d7e45c50a528a69143855696fd38a053e03f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-989 Malicious code in yandex-passport-vault-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e5ec06c5f507c87c261fef04893899d0656796eae3510e71635067b7912f25c3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-995 Malicious code in yandex-yt-yson-bindings (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1ef8f5064d17e16f308f05ff124d515f803d1acfdc65fa58b4c26a8ac52041b2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-262 Malicious code in django-idm-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7500205256afd3e70ea8edbcfa2b5acf17cc55d212296b698b47098c635ef9a9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-263 Malicious code in django-pgaas (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware af2de826396a82e1611c1de3d77a409bafde0f0f0cc57a5623b149b90a48d3e1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Microsoft contributes S2C2F to OpenSSF to improve supply chain security

On August 4, 2022, Microsoft publicly shared a framework.pdf that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework S2C2F, previously the Open Source Software-Supply Chain Security OSS-SSC Framework. As a massive consumer of and...

Microsoft contributes S2C2F to OpenSSF to improve supply chain security

On August 4, 2022, Microsoft publicly shared a framework.pdf that it has been using to secure its own development practices since 2019, the Secure Supply Chain Consumption Framework S2C2F, previously the Open Source Software-Supply Chain Security OSS-SSC Framework. As a massive consumer of and...

Node.js 14.x < 14.20.1 / 16.x < 16.17.1 / 18.x < 18.9.1 Multiple Vulnerabilities (September 23rd 2022 Security Releases).

The version of Node.js installed on the remote host is prior to 14.20.1, 16.17.1, 18.9.1. It is, therefore, affected by multiple vulnerabilities as referenced in the September 23rd 2022 Security Releases advisory. - The fix for CVE-2022-32212, covered the cases for routable IP addresses, however,...

Node.js: Node 18 reads openssl.cnf from /home/iojs/build/... upon startup.

A vulnerability was discovered in Node.js 18.4.0 where it attempted to read an openssl.cnf file from a specific location upon startup. This could potentially allow an attacker with a self-chosen username to affect the OpenSSF configuration of other users on a shared Linux host...