@achinet/nestjs-async (>=0.1.0 <=0.2.0), @asyncapi-actions-test/trusted-publishing-test_asyncapi-cli (>=4.1.3 <=5.4.0) +15 more potentially affected by unknown CVE via @asyncapi/modelina (=5.10.1)

@asyncapi/modelina NPM version =5.10.1 is affected by a known vulnerability. The following packages have a transitive dependency on @asyncapi/modelina and may be impacted: - @achinet/nestjs-async =0.1.0, =4.1.3, =2.5.0, =2.8.3, =0.2.0, =5.2.2, =0.54.0, =1.4.14, =1.8.0, =2.0.0, =0.1.0, =0.48.0,...

Embedded Malicious Code

Overview @asyncapi/modelina is a The Model SDK for generating data models Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package...

Malicious code in @asyncapi/modelina (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6021816ea47fd6743ed24c196df8db60f0649e0d5b185ceb9b418ba457b21e3 The package @asyncapi/modelina was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-198635

Malicious code in @asyncapi/modelina npm...

MAL-2025-190638 Malicious code in @asyncapi/modelina (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6021816ea47fd6743ed24c196df8db60f0649e0d5b185ceb9b418ba457b21e3 The package @asyncapi/modelina was found to contain malicious code. Source: ghsa-malware...

GHSA-4JG2-84C2-PJ95 Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina

Impact Anyone who is using the default presets and/or does not handle the functionality themself. Patches It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not...