Malicious code in codex-devcontainer-install (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8248bf278df1e89da484099e912cdf9f8659976469a219bee14a03e2755391ce Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4277 Malicious code in dev-env-bootstrapper (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

SpiceDB: Caveat structures with nested lists can result in improper cache reuse

Impact Users are impacted if: - They have a caveat structure with a nested list, e.g.: zed caveat shapex list x == "a", "b" - Their system exercises that caveat with either CheckBulkPermission or else LookupResources running with the --experimental-lookup-resources-version flag set to lr3, implyi...

GHSA-MQCF-GQVG-RMHM SpiceDB: Caveat structures with nested lists can result in improper cache reuse

Impact Users are impacted if: - They have a caveat structure with a nested list, e.g.: zed caveat shapex list x == "a", "b" - Their system exercises that caveat with either CheckBulkPermission or else LookupResources running with the --experimental-lookup-resources-version flag set to lr3, implyi...

PT-2026-42636

Impact Users are impacted if: - They have a caveat structure with a nested list, e.g.: zed caveat shapex list x == "a", "b" - Their system exercises that caveat with either CheckBulkPermission or else LookupResources running with the --experimental-lookup-resources-version flag set to lr3, implyi...

MAL-2026-2621 Malicious code in walmart-internal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a4cb99836d95f651dcdf50a02819e299598fbb9e62a702601ce6fa89c3ed6ec0 The package walmart-internal was found to contain malicious code. Source: ghsa-malware 88f5dbf5cfe998f7ad3015cadd6b280accbeb5aadf15cdc7575f4f83a6f572...

bson_validate may skip validation when processing certain inputs

The bsonvalidate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that re...

MAL-2026-2100 Malicious code in shakti-pwa (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bdac10e664bf4e0a73263401629caf12d2ed80e3cf76f36fa18a7c2d599e5229 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in delta666 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb8eaa59df9b36fbda7fdbb9f429aa77b3dd4ce913b22d3e1f7991750136306a The package delta666 was found to contain malicious code. Source: ghsa-malware ed1b6c9a5c4e82e4f1f205e90a5ac9c271dccbf998e06ed81199102594e23d0f Any...

MAL-2026-1465 Malicious code in hariprasath (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b76de996c85f413b2169be46799cbd7dcd1d32a23eb303d0b17ecccae1b10011 The package hariprasath was found to contain malicious code. Source: ghsa-malware df15d2b2f2032416b2715e63515ca04b9bfeb6129516f9fa92d3a633942d07cc An...

MAL-2026-859 Malicious code in systemtest-network (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8fadd3f7e7470daeb4e977c85dbe226a9225b2c4eae6c269a4d85fc01e96681 The package systemtest-network was found to contain malicious code. Source: ghsa-malware...

MAL-2026-357 Malicious code in chai-bin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70584b6893352163c2a0c5341a2e577feaec7949d8719725a62e0d87e5b1d542 The package chai-bin was found to contain malicious code. Source: ghsa-malware a1636ea6e8016a1000135fcda28819cd75c13f4a95933606b7e792737fe630f0 Any...

MAL-2026-215 Malicious code in auth-types (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec0897a10b33b937c04d8f134ccac05ecdfd6050bbfaffbb07cd3ade9256bd24 The package auth-types was found to contain malicious code. Source: ghsa-malware 1096a2a969c582b5029b85a0c4eb85eec4d53f96c178a1523abe0978392a139d Any...

MAL-2026-63 Malicious code in oj-sp-common-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8c112d75458c1c8c9af95739b5a983b3617fbb578a147933a3d4cab77360dc4 The package oj-sp-common-util was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191464 Malicious code in mayhem-wma (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d242ed0467287371909e2fef415c86d7688c77b9a33f6b43c52d37bfc2d7fa6e The package mayhem-wma was found to contain malicious code. Source: ghsa-malware 9f00d5cfad9006d0cb83e7249554304291a746a42a2191314e1b70990e854df5 Any...

MAL-2025-49328 Malicious code in parallel-coordinates (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57a6532ff0ec9ac1daec9c21c05c508de189c1f5d5012fc6b8aee4feb9ce2b43 The package parallel-coordinates was found to contain malicious code. Source: ghsa-malware...

Malicious code in bernie-plugin-datadog-rum (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0197846dec97a3a236eb5ede3d773adb5c175e3a2e0a497138424270d1610d9a The package bernie-plugin-datadog-rum was found to contain malicious code. Source: ghsa-malware...

MAL-2025-48216 Malicious code in redirect-sr2min (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 398493b4ccdee71bf59ddce4b7e65c0cb03aaac407524377ebda89df58587409 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @openzeppelin-compact/compact (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8318ee6c50491086374edce68740eb2b1f5827840f0dfd1d428881cfb50b4173 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-47165 Malicious code in @nstudio/nativescript-loading-indicator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4b551e46bc14865c379331dce05e3f6adb61e5f385acc0aa24b912176766d0c1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...