MAL-2026-4361 Malicious code in @amswf/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...

MAL-2026-4472 Malicious code in @zhengshuo888/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab On npm install, the package's postinstall hook runs node bin/huoke.js install-skill, which uses execSync to invoke curl -fsSL against...

GHSA-XFQJ-R5QW-8G4J Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode

Summary Several API endpoints in authenticated mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed. Verified against the latest version. Discord: sagi03581 Steps t...

CVE-2026-40151 PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no...

CVE-2026-40151 PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no...