Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer

The Miasma supply chain campaign has sparked a fresh attack wave called Hades , this time involving 37 malicious wheel artifacts across 19 packages in the Python Package Index PyPI registry, as the Mini Shai-Hulud-style attacks continue to be refined and splintered to target specific ecosystems...

injection_exploit

Injection Exploit SQLi 6 engines + SSTI 11 engines — GET/...

Google ADK-Python - Unauthenticated Builder Endpoint

Google Agent Development Kit ADK 1.7.0 through 1.28.1 and 2.0.0a1 through 2.0.0a2 on Python OSS, Cloud Run, and GKE contains a code injection and missing authentication vulnerability, letting unauthenticated remote attackers execute arbitrary code on the server, exploit requires no authentication...

Contentful <=2020-05-21 - Cross-Site Scripting

Contentful through 2020-05-21 for Python contains a reflected cross-site scripting vulnerability via the api parameter to the-example-app.py. id: CVE-2020-13258 info: name: Contentful alert...

Python Flask-Security - Open Redirect

Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. A...

Pypiserver <1.2.5 - Carriage Return Line Feed Injection

Pypiserver through 1.2.5 and below is susceptible to carriage return line feed injection. An attacker can set arbitrary HTTP headers and possibly conduct cross-site scripting attacks via a %0d%0a in a URI. id: CVE-2019-6802 info: name: Pypiserver 1.2.5 - Carriage Return Line Feed Injection author...

Langflow AI - Unauthenticated Remote Code Execution

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint.A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. id: CVE-2025-3248 info: name: Langflow AI - Unauthenticated Remote Code Execution author: nvn172...

Malicious code in xfoofoox (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 94e46dfacc8ffb015e2258d96dedda0eebb7118144ace7021794c88b319ade14 During import, the package starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

Malicious code in solana-cli-py (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d1906f26c40e0ea91316c6c85ba5fea16d52a711c7a5edf3d847578cdd653715 During import, the package exfiltrates sensitive data credentials, SSH keys, cryptowallet's data. It also establishes persistence via a cronjob. --- Category:...

MAL-2026-5337 Malicious code in solana-web3 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 91c09b86579a07d271d3bcd57adf5b5b161e49e36c3bd7af09c50dd8127aa54f During import, the package exfiltrates sensitive data credentials, SSH keys, cryptowallet's data. It also establishes persistence via a cronjob. --- Category:...

MAL-2026-5335 Malicious code in xfoobar (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a54c1c17d20a069af19c48751aada9e426bcbf55484c360cf21ac70f35d3d0dd During import, the package starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

Malicious code in spaysrbx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 21c6a7c2bf656df8e570edbe60daa7af52e1e0df0eae906de41f47dcf6eb0ede The package exfiltrates Roblox cookies from the victim machine. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaig...

CVE-2026-11393

Affected software: AgentCore CLI (v0.14.2 fix). Vulnerable path: Python code generation in AgentCore CLI before v0.14.2. Root cause: improper neutralization of triple-quote characters during code generation, enabling an authenticated remote actor to run arbitrary code. Impact: potential execution...

Malicious code in xforpy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6ebd6a0497e01ef631a2c357263bd1af23d88e8d9a9ae46fe39110571949198c During import, the package starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

MAL-2026-5332 Malicious code in xforpy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6ebd6a0497e01ef631a2c357263bd1af23d88e8d9a9ae46fe39110571949198c During import, the package starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

MAL-2026-5330 Malicious code in bittensor-burn-alert (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fe199e0ca267ae05d6213339b5d925218af5b5c2d884dfb4c74bc99b81a19c0f The package contains code to steal clipboard content to a predefined remote location. If run in the right way, the code will periodically check the clipboard a...

Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak

Summary A security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak. Python is used by IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes...

MAL-2026-5329 Malicious code in spaysdatarbx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 31b0b97326861aabb747f26e130a5dbda5ac78100fafbb3a3327b1981119e3a6 The package exfiltrates Roblox cookies from the victim machine. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaig...

ROOT-OS-DEBIAN-13-CVE-2026-8643 CVE-2026-8643 in rootio-python-pip - Patched by Root

Root has patched CVE-2026-8643 in the rootio-python-pip package for Root:Debian:13. Multiple fixed versions available...

Malicious code in bt-burn-watch (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5a0dd195fc668347e830720566418c11620979a0c2344723fbddb1497d8bf9e8 The package contains code to steal clipboard content to a predefined remote location. If run in the right way, the code will periodically check the clipboard a...