MAL-2026-5135 Malicious code in @redhat-cloud-services/frontend-components-advisor-components (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to the "Miasma" supply chain attack targeting the @redhat-cloud-services npm namespace. A malicious actor compromised the publication pipeline and published versions containing malicious code that includes...

GHSA-5W89-2C2X-6X66 vulnerabilities

Vulnerabilities for packages: opensearch-k8s-operator, kpt, metacontroller, cluster-api-provider-vsphere, gofumpt, kubecolor, docker-credential-acr-env, wait-for-port, docker-cli, cri-tools, knative-serving, kubeflow-katib, github-mcp-server, prometheus, pulumi-language-yaml, ip-masq-agent,...

CVE-2021-3864 vulnerabilities

Vulnerabilities for packages: linux-qemu-melange, linux-qemu, linux-vmware...

GHSA-9682-F2FR-3H46 vulnerabilities

Vulnerabilities for packages: linux-qemu-melange, linux-qemu, linux-vmware...

GHSA-R4VM-3MC7-PRGX vulnerabilities

Vulnerabilities for packages: linux-gcp, linux-azure, linux-aws...

CVE-2025-22872 vulnerabilities

Vulnerabilities for packages: newrelic-k8s-metadata-injection, kubernetes-csi-external-snapshotter-fips, promxy, victoriametrics-operator-fips, terraform-provider-azapi, opa-fips-envoy, docker-compose, scorecard, prometheus-pushgateway-fips, helm-fips, src-fingerprint, opentofu-fips,...