MAL-2026-5199 Malicious code in @ethlete/contentful (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a6c7977dbc054cdb7fe56da0d2fbd26e2a6fed695deb4263ccbf4adfedd86acb The Miasma malware is a self-propagating worm that spreads across the npm registry by abusing weaponized binding.gyp files to achieve...

The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave

Multi-ecosystem supply chain compromise by TeamPCP targets GitHub, NPM, and VSCode to steal credentials and establish persistence...

MAL-2026-4020 Malicious code in @antv/gpt-vis (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3990 Malicious code in @antv/g6-mobile (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Contagious Interview: Malware delivered through fake developer job interviews

Microsoft Defender Experts has observed the Contagious Interview campaign, a sophisticated social engineering operation active since at least December 2022. Microsoft continues to detect activity associated with this campaign in recent customer environments, targeting software developers at...

GO-2025-4262 Gitea: anonymous user can visit private user's project in code.gitea.io/gitea

Gitea: anonymous user can visit private user's project in code.gitea.io/gitea...

MAL-2025-191000 Malicious code in react-native-log-level (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24d9b4b32f8ecb8d86fe3786c14e216538d2d25e1e3257627f186495dedaf9b1 The package react-native-log-level was found to contain malicious code. Source: ghsa-malware...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

[SECURITY] Fedora 38 Update: python-pygments-2.14.0-2.fc38

Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code. Highlights are: a wide range of over 500 languages and other text formats is supported special attention is paid to details that increase highlighting...

Fedora: Security Advisory for python-pygments (FEDORA-2024-8eaf80107a)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GitHub Rolls Out Default Secret Scanning Push Protection for Public Repositories

GitHub on Thursday announced that it's enabling secret scanning push protection by default for all pushes to public repositories. "This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you dee...

GitHub Announces Free Secret Scanning for All Public Repositories

GitHub on Thursday said it is making available its secret scanning service to all public repositories on the code hosting platform for free. "Secret scanning alerts notify you directly about leaked secrets in your code," the company said, adding it's expected to complete the rollout by the end of...

The Bug Report – August 2022 Edition

The Bug Report — August 2022 Edition By Philippe Laulheret · September 7, 2022 Your Cybersecurity Comic Relief Figure 0: CVE-2022-38392 redefines “destructive interference” Why am I here? Indeed, why are we here? School is back in session, there’s a chill in the air that says fall is around the...

The vulnerability of the import function in GitHub’s software platform, based on Git, for collaborative code development on GitLab, allows a perpetrator to execute arbitrary code.

The vulnerability of the import function in GitHub’s software platform for GitLab-based collaborative code development is related to the lack of measures taken to clean up data at the management level. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...

Unspecified Vulnerability in Mattermost Plugins

Mattermost is a private cloud messaging solution provider. A security vulnerability in Mattermost Plugins can be exploited by an attacker to attach their Mattermost account to another user's GitHub account...

Gitea Deadlock Vulnerability

Gitea is an open source community-driven clone of Gogs, a lightweight code hosting solution with a backend written in Go under the MIT license. A deadlock vulnerability exists in Gitea 1.11.5 and earlier versions. An attacker can exploit this vulnerability to cause a deadlock by initiating a...

X (Formerly Twitter): Github Token Leaked publicly for https://github.com/mopub

Description : GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 4 days Ago by user Dravya Nataraj Issue & POC : You can find the leak in this link :...

CVE-2019-5419

There is a possible denial of service vulnerability in Action View Rails 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive...

Confirmed—Microsoft Buys GitHub For $7.5 Billion

Here's the biggest news of the week—Microsoft has reportedly acquired GitHub for $7.5 billion. For those unaware, GitHub is a popular code repository hosting service that allows developers to host their projects, documentation, and code in the cloud using the popular Git source management system,...

Geminabox Cross-Site Scripting Vulnerability

Geminabox aka Gem in a Box is a personal code hosting platform. Geminabox suffers from a cross-site scripting vulnerability that can be exploited by remote attackers to delete arbitrary gems on the server...