Malicious code in @antv/xflow-core (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

scp.hole.txt

This issue appears quite often - tar suffers from problem of this kind as well using cute symlink tricks, you can create an archive, which, when unpacked, can overwrite or create specific files anywhere in your filesystem. This time, similar scp vulnerability has been found and acknowledged in ss...