MAL-2026-5407 Malicious code in @card-pci-data/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871 On npm install, the package's preinstall hook scripts.preinstall: node index.js || true runs index.js which collects host identity — os.hostname,...

Malicious code in @card-pci-data/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871 On npm install, the package's preinstall hook scripts.preinstall: node index.js || true runs index.js which collects host identity — os.hostname,...

Malicious code in @sql-access/nodesql (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f4dbd816086a092ae99c8590ee3fc887ba415dd8e9d409ca4e299da61d763b1c @sql-access/[email protected] advertises itself as SQL tooling but ships a copy of the feross/buffer library as its main entry point, with a README copie...

HackTheBox

HackTheBox — Writeups, Tooling & Exploitation Pipelines A wor...

py-xss-scanner

Python Reflected XSS Scanner A command-l...

SUSE-SU-2026:2093-1 Security update for go1.25-openssl

This update for go1.25-openssl fixes the following issues Security issues: - CVE-2026-33811: net: crash when handling long CNAME response bsc1264508. - CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1264506. - CVE-2026-39817: cmd/go: 'go tool...

Security update for go1.26-openssl

This update for go1.26-openssl fixes the following issues Security issues: CVE-2026-33811: net: crash when handling long CNAME response bsc1264508. CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1264506. CVE-2026-39817: cmd/go: "go tool pack" do...

State of SDLC Security 2026: How Risk Scales in Modern Development

Insights from real-world environments into how code, developer tooling, automation, and AI are reshaping application security...

MAL-2026-4777 Malicious code in xct-x-ayoub (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d33575d7ebb1fa670ce8a2f633471492b04319daffe0f1e10dd35841cf2709af On import XcTxAyOuB, the package's top-level init.py unconditionally starts a Flask HTTP server bound to 0.0.0.0:5000 configurable via PORT exposing...

GHSA-JF2Q-463C-6F52 androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers)

Summary generateZipPath constructs zip entry names for collected APKs using device controlled content from extractFileName. Since extractFileName does not reject traversal sequences, the resulting zip entry name can contain ../. AndroidQF itself does not extract the zip it creates, but any forens...

MAL-2026-4216 Malicious code in polymarket-trader (npm)

A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev GitHub actor texsellix, repo texsellix/polymarket-trading-bot within a 2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while...

MAL-2026-4430 Malicious code in @saidddddddddd/somethingelse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10c6c962a47a7992e9b415754433ca28aec0b867273e477fdc76acc96688554d Package ships multiple multi-file randomly-named JavaScript bundles at the tarball root dist/0wj8nina9p.js, dist/g2gldlcg6a.js, dist/k72k75nqjc.js,...

MAL-2026-4581 Malicious code in idlidosa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 93244f4468caec1832fe03d87c7403d7ab1dac835f12605a35667acfd3b87c39 The package ships shared/keys.json containing 9 AES-256-GCM-encrypted Groq API keys. The decryption key is a fixed byte sequence 'pageai-pool-v2'...

Astra Linux - уязвимость в firefox

Mitigation bypass in Web Compatibility: Tooling component. This vulnerability has been fixed in Firefox 143 and Thunderbird 143...

Astra Linux – Vulnerability in xmltooling

Shibboleth XMLTooling before version 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allowed SSRF through a specially crafted KeyInfo element. This issue has been fixed, for example, in Shibboleth Service Provider 3.4.1.3 on Windows...

Bridging the Cybersecurity Gap between Web2 and Web3 - an Incident-Based Analysis of Organizational and Application-Level Security Failures

The rapid adoption of Web3 infrastructures has led to a growing number of security incidents affecting cryptocurrency exchanges, custody services and blockchain-based platforms. While existing research predominantly focuses on vulnerabilities in smart contracts and blockchain protocols, a...

State of ransomware in 2026

With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomware cyberthreat landscape. Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026: New families continue to emerge, adopting...

HashiCorp Tooling 后置链接漏洞

HashiCorp Tooling is a series of software tools developed by HashiCorp Inc., aimed at infrastructure automation, cloud resource management, and security operations. Versions of HashiCorp Tooling prior to 0.42.0 contained a postback link vulnerability. This vulnerability stemmed from a sandbox pat...

PT-2026-40533

Name of the Vulnerable Software and Affected Versions protobufjs-cli versions prior to 1.2.1 protobufjs-cli versions prior to 2.0.2 Description The pbts command-line tool invokes JSDoc by constructing a shell command string from input file paths and executing it via child process.exec. File paths...

web-app-pentest-playbook

Web Application Pentest Playbook A structured methodology and...