Lucene search
K

3942 matches found

Github Security Blog
Github Security Blog
added 2026/05/19 2:35 p.m.46 views

Malware in @opensearch-project/opensearch

Overview The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch. Users are instructed to immediately take...

5.8AI score
Exploits0References2Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 5:0 a.m.15 views

Malicious code in @starmind/collector-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 33a028c205d18a30d3ff150b1653336fefa0ac86a6e5242811b6fb2c3283af21 The package @starmind/collector-cli was found to contain malicious code. Source: ghsa-malware...

5.8AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 12:0 a.m.10 views

Malicious code in @antv/semantic-release-pnpm (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.14 views

PT-2026-41853

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

5.8AI score0.00486EPSS
Exploits0References2
OSV
OSV
added 2026/05/19 12:0 a.m.15 views

MAL-2026-4136 Malicious code in jest-canvas-mock (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References4
OSV
OSV
added 2026/05/19 12:0 a.m.7 views

MAL-2026-3998 Malicious code in @antv/gatsby-theme (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 12:0 a.m.17 views

Malicious code in canvas-nest.js (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 12:0 a.m.12 views

Malicious code in @antv/g-device-api (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 12:0 a.m.10 views

Malicious code in @antv/g-mobile-canvas (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSV
OSV
added 2026/05/19 12:0 a.m.7 views

MAL-2026-3851 Malicious code in @antv/async-hook (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSV
OSV
added 2026/05/19 12:0 a.m.14 views

MAL-2026-4054 Malicious code in @antv/l7plot (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSV
OSV
added 2026/05/19 12:0 a.m.17 views

MAL-2026-3936 Malicious code in @antv/g-plugin-canvas-picker (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References4
OSV
OSV
added 2026/05/19 12:0 a.m.11 views

MAL-2026-3924 Malicious code in @antv/g-mobile (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSV
OSV
added 2026/05/19 12:0 a.m.19 views

MAL-2026-3911 Malicious code in @antv/g-canvas (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSV
OSV
added 2026/05/19 12:0 a.m.10 views

MAL-2026-3960 Malicious code in @antv/g-plugin-zdog-svg-renderer (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References4
OSV
OSV
added 2026/05/19 12:0 a.m.11 views

MAL-2026-3849 Malicious code in @antv/adjust (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
Snyk
Snyk
added 2026/05/18 9:0 p.m.12 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
GithubExploit
GithubExploit
added 2026/05/16 2:53 p.m.78 views

Operation-Molasses

🍯 OPERATION MOLASSES PEKMEZ Zencefil Efendi's Cyber Dow...

6AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.9 views

CVE-2026-8596

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for special...

8.5CVSS6.2AI score0.00439EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 7:37 p.m.18 views

CVE-2026-8597

CVE-2026-8597 : Missing integrity verification in the Triton inference handler of the Amazon SageMaker Python SDK (v2 before 2.257.2; v3 before 3.8.0) may allow a remote authenticated actor with S3 write access to replace model artifacts in S3 with a crafted pickle payload, enabling code executio...

7.2CVSS6.2AI score0.0039EPSS
Exploits0References4
Rows per page
Query Builder