Embedded Malicious Code

Overview xinference is a powerful and versatile library designed to serve language, speech recognition, and multimodal models. With Xorbits Inference, you can effortlessly deploy and serve your or state-of-the-art built-in models using just a single command. Whether you are a researcher, develope...

Malicious code in @fairwords/loopback-connector-es (npm)

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+...

MAL-2026-2507 Malicious code in @fairwords/loopback-connector-es (npm)

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+...

MAL-2026-2508 Malicious code in @fairwords/websocket (npm)

The @fairwords/websocket package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variabl...

Malicious code in @emilgroup/discount-sdk-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98b66c2b21da822102c367293fd9acc95e864afb9bb8ddebcb3ac0d49ccf583e The package @emilgroup/discount-sdk-node was found to contain malicious code. Source: google-open-source-security...

MAL-2026-2202 Malicious code in @emilgroup/commission-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88cda98ba417752b6bf4aef7eb0ecf7410017226165423202ca4d5886f370478 The package @emilgroup/commission-sdk was found to contain malicious code. Source: google-open-source-security...

MAL-2026-2206 Malicious code in @emilgroup/process-manager-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9c387184509fe5ed2657f553bc35f51353adfe2f37b6b1a4817cec868cb653cf The package @emilgroup/process-manager-sdk was found to contain malicious code. Source: google-open-source-security...

⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More

Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories. This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down...

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer environments. The last known clean release of Trivy on Docker Hub is 0.69.3. The malicious versions 0.69.4,...

EUVD-2025-6418

Malicious code in bioql PyPI...

EUVD-2023-3140

Malicious code in bioql PyPI...

EUVD-2024-3038

Malicious code in bioql PyPI...

CVE-2024-48915

Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in lib/agent/certificate.dart does not occur properly. During the delegation verification in the checkDelegation function, the canisterranges aren't...

Denial Of Service (DoS)

Azle is vulnerable to a Denial Of Service DoS. The vulnerability is due to an infinite loop of timers triggered by the setTimer function, leading to continuous execution and resource exhaustion, which can render the canister unresponsive...

CVE-2025-29776

Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. Calling setTimer in Azle versions 0.27.0, 0.28.0, and 0.29.0 causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer. The infinite loop...

CVE-2025-29776 Azle calling `setTimer` causes infinite loop of timers

Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. Calling setTimer in Azle versions 0.27.0, 0.28.0, and 0.29.0 causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer. The infinite loop...

CVE-2024-11991

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the...

Agent Dart is missing certificate verification checks

Certificate verification in lib/agent/certificate.dart has been found to contain two issues: - During the delegation verification in checkDelegation function the canisterranges aren't verified. The impact of not checking the canisterranges is that a subnet can sign canister responses in behalf of...

CVE-2024-48915 Agent Dart missing certificate verification checks

Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in lib/agent/certificate.dart does not occur properly. During the delegation verification in the checkDelegation function, the canisterranges aren't...

CVE-2024-48915

Agent Dart (for Dart/Flutter) prior to version 1.0.0-dev.29 has certificate verification issues in lib/agent/certificate.dart. In _checkDelegation, canister_ranges are not verified, potentially allowing a subnet to sign canister responses on behalf of another subnet. The certificate’s /time path ...