Server-side Request Forgery (SSRF)

Overview org.webjars.npm:ai is an AI SDK by Vercel - The AI Toolkit for TypeScript and JavaScript Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the order of operations in the validateDownloadUrl implementation in download-blob.ts and download.ts. The...

📄 Google Cloud Vertex AI SDK Cross Site Scripting / Code Execution

A persistent cross site scripting vulnerability was identified in the genai/evalsvisualization component of Google Cloud Vertex AI SDK google-cloud-aiplatform, affecting versions 1.98.0 up to but not including 1.131.0. The vulnerability allows an unauthenticated remote attacker to inject maliciou...

Google Cloud Vertex AI SDK 安全漏洞

Google Cloud Vertex AI SDK is a Python library for AI capabilities provided by Google, Inc. Versions of Google Cloud Vertex AI SDK prior to 1.131.0 contained security vulnerabilities. These vulnerabilities were due to the genai/evalsvisualization component, which had a storage-oriented cross-site...

Ultralytics Supply-Chain Attack

Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary: On December 4, a malicious version 8.3.41 of the popular AI library ultralytics ­--which has almost 60 million downloads--was published to the Python Package Index PyPI package repository. The...

Ultralytics AI Library with 60M Downloads Compromised for Cryptomining

Another day, another supply chain attack!...

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence AI library named ultralytics were compromised to deliver a cryptocurrency miner. The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index...