⚡ Weekly Recap: Hot CVEs, npm Worm Returns, Firefox RCE, M365 Email Raid & More

Hackers aren't kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and "trusted" partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The package was flagged as malicious during the Sha1-hulud supply chain attack. Although the Sha1-hulud IoCs are not present within the package, the contents of the affected version were removed from the officia...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The package was flagged as malicious during the Sha1-hulud supply chain attack. Although the Sha1-hulud IoCs are not present within the package, the contents of the affected version were removed from the officia...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The package was flagged as malicious during the Sha1-hulud supply chain attack. Although the Sha1-hulud IoCs are not present within the package, the contents of the affected version were removed from the officia...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The package was flagged as malicious during the Sha1-hulud supply chain attack. Although the Sha1-hulud IoCs are not present within the package, the contents of the affected version were removed from the officia...

Malicious code in @lokeswari-satyanarayanan/rn-zustand-expo-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73fe3bd99e2f11ab8bb09a9086c4dca8af56372031492ed11d90f1e32a0e8f53 The package @lokeswari-satyanarayanan/rn-zustand-expo-template was found to contain malicious code. Source: google-open-source-security...

Malicious code in @posthog/heartbeat-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b0402071ebf395126c5e1e90681622f203d9744eca75a1f2061a6a2d030cdcc The package @posthog/heartbeat-plugin was found to contain malicious code. Source: google-open-source-security...

Malicious code in @voiceflow/eslint-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c4db5527f8a6098b9553e656b50ee1e0fcae45b163917de83299e9e5200ff96f The package @voiceflow/eslint-config was found to contain malicious code. Source: ghsa-malware...

Malicious code in @voiceflow/react-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7450440b7c3368ef719fcfa9511d7984fc38ed8b5279f4e49f414f588446915e The package @voiceflow/react-chat was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191255 Malicious code in @oku-ui/dialog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25f15df16cf4e34ba65ddc24116d624b40ec91b0a9d12bacec8f2afd6ea3bc27 The package @oku-ui/dialog was found to contain malicious code. Source: google-open-source-security...

MAL-2025-191364 Malicious code in @voiceflow/pino (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 980243b18346b941c1cb5c2390751258de1c019b02526dbbd7ad2b2e41069656 The package @voiceflow/pino was found to contain malicious code. Source: google-open-source-security...

MAL-2025-191278 Malicious code in @oku-ui/toggle (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0d0819bf4913c5aabf31547b239ee5407c6e581d71ef7d041451c7f162314c1 The package @oku-ui/toggle was found to contain malicious code. Source: google-open-source-security...

MAL-2025-191259 Malicious code in @oku-ui/hover-card (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49011592cdb157147144c2972c03c4ec153b1d0076d2aa6d45dce878247a77fc The package @oku-ui/hover-card was found to contain malicious code. Source: google-open-source-security...

Malicious code in @oku-ui/presence (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9ccfe3cd227dfd52c2a7bb6d2c15fc511a5d1baab2eb3378960905005e421b9a The package @oku-ui/presence was found to contain malicious code. Source: google-open-source-security...

Malicious code in pkg-readme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bfc479ddf04c9b4dccdd1b190ab6a553b8b70b35dd010db9a2f6facee0990c78 The package pkg-readme was found to contain malicious code. Source: ghsa-malware 1367f46db577db5123a8d208e0f5d172747a39e623e7c33db0a7e240d28f9d2a Any...

Malicious code in @oku-ui/alert-dialog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 824a69f83431a766f681bc72d705ff3b28ae9309898b4ad10979adca148f2276 The package @oku-ui/alert-dialog was found to contain malicious code. Source: google-open-source-security...

Malicious code in @voiceflow/metrics (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector db3392082319ffd4259935cf7d4eae448c38fdea2e5d9a1749c26a991fd78dc1 The package @voiceflow/metrics was found to contain malicious code. Source: ghsa-malware...

Malicious code in @oku-ui/arrow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 085e9cbdb891d5b550a81a42584b1cdd8ab001a9443b162158aa633ce18b1e06 The package @oku-ui/arrow was found to contain malicious code. Source: google-open-source-security...

Malicious code in @voiceflow/runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a8c6b88ad67d8ceece37df9641f6712f7047aa566957d0937eb3ca99aed10dd The package @voiceflow/runtime was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191387 Malicious code in @voiceflow/widget (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac19bf504aadbfdca19efac5f7d258c14c541a1f9747324e00da8220b0b1d785 The package @voiceflow/widget was found to contain malicious code. Source: google-open-source-security...