CVE-2026-49993 @nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack /...

Grafana Says It Rejected Ransom Demand After Source Code Theft

Grafana says hackers stole its source code after accessing a GitHub token, but no customer data or systems were affected...

CVE-2025-56647

Affected product: npm @farmfe/core

PT-2026-7857

Name of the Vulnerable Software and Affected Versions @farmfe/core versions prior to 1.7.6 Description The development server does not validate the origin when establishing WebSocket connections. This allows attackers to monitor developers using Farm who visit a malicious webpage and potentially...

farm 安全漏洞

Farm is a web building tool developed by Farm OpenSource. Versions of Farm prior to 1.7.6 contained security vulnerabilities. These vulnerabilities stemmed from a lack of source verification in WebSocket, which could allow attackers to monitor developers and steal source code...

Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code

Cybersecurity researchers have discovered two malicious Microsoft Visual Studio Code VS Code extensions that are advertised as artificial intelligence AI-powered coding assistants, but also harbor covert functionality to siphon developer data to China-based servers. The extensions, which have 1.5...

Serious F5 Breach

This is bad: F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a "sophisticated" threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a "long-term." Security researchers who have...

⚡ Weekly Recap: F5 Breached, Linux Rootkits, Pixnapping Attack, EtherHiding & More

It's easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn't just patching fast, but watching smarter and staying alert for what you don't...

EUVD-2006-2358

Malware in sbrugna...

EUVD-2025-16767

Malicious code in bioql PyPI...

EUVD-2025-16764

Malicious code in bioql PyPI...

EUVD-2025-0132

Malicious code in bioql PyPI...

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them...

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them...

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them...

PT-2025-38252

Name of the Vulnerable Software and Affected Versions parcel versions 2.0.0-alpha and earlier Description A security issue exists in Parcel that allows malicious websites to send XMLHTTPRequests to the application's development server and read the response, potentially leading to source code thef...

Linux Distros Unpatched Vulnerability : CVE-2025-30359

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source...

webpack-dev-server users' source code may be stolen when they access a malicious web site

...

Cross-site WebSocket Hijacking

webpack-dev-server is vulnerable to Cross-site WebSocket hijacking. The vulnerability is due to improper Origin header validation, which permits IP address origins, allows attackers to hijack WebSocket connections and steal source code via malicious websites...

GHSA-9JGG-88MC-972H webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser

Summary Source code may be stolen when you access a malicious web site with non-Chromium based browser. Details The Origin header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address Origin header...