Malicious Package

Overview knot-date-utils-rb is a malicious package. This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS...

PT-2026-26203

Summary The Allure report generator is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file -result.json, -container.json, or .plist that points an attachment source to a sensitive file on the host system. During repor...

Strengthening supply chain security: Preparing for the next malware campaign

The open source ecosystem continues to face organized, adaptive supply chain threats that spread through compromised credentials and malicious package lifecycle scripts. The most recent example is the multi-wave Shai-Hulud campaign. While individual incidents differ in their mechanics and speed,...

EUVD-2024-38708

Malicious code in bioql PyPI...

CVE-2024-34347

CVE-2024-34347 affects the Hoppscotch CLI component suite. The vulnerability stems from using the Node.js vm-based sandbox in @hoppscotch/js-sandbox, where external references exposed to the sandbox can escape it and allow arbitrary code execution (RCE). The issue is fixed in Hoppscotch 0.8.0. Pu...

CVE-2024-34347 @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside th...

CVE-2024-34347 @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside th...

GSD-2022-1002520 typosquatting / spellcheck squatting in rustdecimal version all

In rustdecimal, all versions prior to 1.23.4 contain malicious code that downloads a binary masked as a "readme" file and then depending on the OS, making it executable and ran it. The rustdecimal crate appears to be a malicious clone of the real rust-decimal crate. Due to the similarity of the...

Dep-Scan - Fully Open-Source Security Audit For Project Dependencies Based On Known Vulnerabilities And Advisories. Supports Both Local Repos And Container Images. Integrates With Various CI Environments Such As Azure Pipelines, CircleCI, Google CloudBuild

dep-scan is a fully open-source security audit tool for project dependencies based on known vulnerabilities, advisories and license limitations. Both local repositories and container images are supported as input. The tool is ideal for CI environments with built-in build breaker logic. If you hav...

Backdoor Found in Codecov Bash Uploader

Developers have discovered a backdoor in the Codecov bash uploader. Its been there for four months. We dont know who put it there. Codecov said the breach allowed the attackers to export information stored in its users continuous integration CI environments. This information was then sent to a...