PT-2026-42628

Impact A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize in keys/src/multisig/mod.rs called .unwrap on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point...

MAL-2026-2825 Malicious code in centralogger (npm)

dom-utils-lite and centralogger, with identical payloads. On npm install, a postinstall hook fetches the attacker’s SSH public key from a Supabase storage bucket, appends it to /.ssh/authorizedkeys, harvests the victim’s IP, username, and hostname, then uploads that metadata to the same Supabase...

Malicious code in grammyjs-utils (npm)

This package adds the attacker's public SSH key to the user's authorizedkeys file, creating a backdoor. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 45f0349da339aac302d4c3bf992403e9bd539caa80f29576e448ccf3fb4af016 Any computer that has this package installed or...

Malicious code in telegramclient-utils (npm)

This package adds the attacker's public SSH key to the user's authorizedkeys file, creating a backdoor. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2807323f53c2562dc15aa9f4a559ede7c0e9dee713d30a637a4cf8f2c13f2640 Any computer that has this package installed or...

UBUNTU-CVE-2023-29000

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt file...