Malicious code in kurumi-fca (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f90450e6ca1502bf6287d945c37c4c64f59e624a4269ab8e07600a9db5e755d0 kurumi-fca is a Facebook Chat API library whose advertised purpose is to listen to Messenger events for the caller. Two undisclosed behaviors make it...

Mitigating the Axios npm supply chain compromise

In this article 1. Analysis of the attack 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Indicators of compromise 5. Hunting queries On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP...

MAL-2025-190338 Malicious code in winston-pino-jasmine-jupiter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a5379730ea03719315dac34057961525d8cb45f557c9a2a4ad60fa9929dadfc6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-158825 Malicious code in lookingan-namalaka16 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80cc28a06b269761a3b23d2be8f0ef1fc5d52e59bd9f4c6a35f5ee1f13648672 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in damaged_sheep_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5969346aa18fa96f43ced9a4499893613e2db1ae785053296165e1d84dfdd031 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2021-25582

Malware in sbrugna...

EUVD-2019-4340

Malware in sbrugna...

EUVD-2022-26881

Malicious code in bioql PyPI...

Claude Code can execute commands prior to the startup trust dialog

Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update...

Linux Distros Unpatched Vulnerability : CVE-2022-21661

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WPQuery, there...

Linux Distros Unpatched Vulnerability : CVE-2022-21664

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of th...

Linux Distros Unpatched Vulnerability : CVE-2021-39201

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. Impact The issue allows an authenticat...

Linux Distros Unpatched Vulnerability : CVE-2021-29450

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This...

CVE-2021-29447

Wordpress is an open source CMS. A user with the ability to upload files like an Author can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has...

CVE-2021-29450

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases...

CVE-2021-39200

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wpdie can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on yo...

CVE-2024-13336

The Disable Auto Updates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'disable-auto-updates' page. This makes it possible for unauthenticated attackers to disable all auto...

CVE-2024-13336 Disable Auto Updates <= 1.4 - Cross-Site Request Forgery to Auto-update Disable

The Disable Auto Updates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'disable-auto-updates' page. This makes it possible for unauthenticated attackers to disable all auto...

CVE-2024-13336 Disable Auto Updates <= 1.4 - Cross-Site Request Forgery to Auto-update Disable

The Disable Auto Updates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'disable-auto-updates' page. This makes it possible for unauthenticated attackers to disable all auto...

WordPress plugin Disable Auto Updates 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...