48 matches found
Malicious code in cardano-addresses-docs (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75 package.json declares a preinstall hook node index.js that runs automatically on npm install. index.js collects host identifiers os.hostname,...
MAL-2026-5802 Malicious code in cardano-addresses-docs (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75 package.json declares a preinstall hook node index.js that runs automatically on npm install. index.js collects host identifiers os.hostname,...
Malicious code in flow-lending (npm)
Sentinel-high 9.9.9 dependency-confusion squat of an internal Cardano/DeFi lending pkg. preinstall node index.js || true auto-execs a credential exfil: harvests env secrets mnemonic/private key/token/blockfrost API key and POSTs to raw attacker C2 2.25.140.71:8443/surflending/npm-confusion. 2-pkg...
MAL-2026-5803 Malicious code in flow-lending (npm)
Sentinel-high 9.9.9 dependency-confusion squat of an internal Cardano/DeFi lending pkg. preinstall node index.js || true auto-execs a credential exfil: harvests env secrets mnemonic/private key/token/blockfrost API key and POSTs to raw attacker C2 2.25.140.71:8443/surflending/npm-confusion. 2-pkg...
Malicious code in flowdefi (npm)
flow/surf-lending DeFi cred-exfil campaign sibling c1655. preinstall node index.js || true exfils env secrets to raw C2 2.25.140.71:8443/surflending/npm-confusion verified identical. No-renotify. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...
MAL-2026-5806 Malicious code in flowdefi (npm)
flow/surf-lending DeFi cred-exfil campaign sibling c1655. preinstall node index.js || true exfils env secrets to raw C2 2.25.140.71:8443/surflending/npm-confusion verified identical. No-renotify. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...
Malicious code in bodega-sdk (npm)
flow/surf-lending DeFi cred-exfil campaign sibling c1655. preinstall node index.js || true exfils env secrets to raw C2 2.25.140.71:8443/surflending/npm-confusion verified identical. No-renotify. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...
MAL-2026-5805 Malicious code in flowcardano (npm)
flow/surf-lending DeFi cred-exfil campaign sibling c1655. Cardano-themed Sentinel-9.9.9 dependency-confusion squat. preinstall node index.js || true exfils env secrets mnemonic/private-key/token/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion same C2 as...
Malicious code in moneykit-cardano-demo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6186e5ec8b6cea4f1cec3b4284cf09f2e317dd7d745fb5f88e15b355497d08e package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects host identifiers and OS files —...
EUVD-2023-42478
Malicious code in bioql PyPI...
EUVD-2023-47232
Malicious code in bioql PyPI...
EUVD-2025-29413
Malicious code in bioql PyPI...
EUVD-2025-18921
Malicious code in bioql PyPI...
EUVD-2023-46894
Malicious code in bioql PyPI...
CVE-2025-48886
Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...
CVE-2025-48886
Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...
CVE-2025-48886 hydra-node dangerously assumes L1 event finality and does not consider failed transactions
Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...
CVE-2025-48886
Hydra, a Layer-2 scaling solution for Cardano, is affected by a vulnerability that arises from assuming L1 finality and neglecting failed transactions. Before version 0.22.0, Hydra treated certain L1 events as finalized as soon as recognized by node participants, making those transactions targets...
CVE-2025-48886 hydra-node dangerously assumes L1 event finality and does not consider failed transactions
Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...
CVE-2025-48886 hydra-node dangerously assumes L1 event finality and does not consider failed transactions
Hydra is a layer-two scalability solution for Cardano. Prior to version 0.22.0, the process assumes L1 event finality and does not consider failed transactions. Currently, Cardano L1 is monitored for certain events which are necessary for state progression. At the moment, Hydra considers those...