MAL-2026-6141 Malicious code in clx-cookie-signature (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3 Package impersonates the popular cookie-signature library copying its README, author field 'TJ Holowaychuk ', and sign/unsign API, but index.js adds ...

Malicious Package

Overview moustick is a malicious package. This package contains malicious code that fetches and eval a remote payload from attacker-controlled URL https://www.jsonkeeper.com/b/MYUKZ on require in moustick/index.js. The payload is designed to extract RELAYERPRIVATEKEY and JWTSECRET from the victim...

Malicious Package

Overview clx-cookie-signature is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Weak Authentication

org.apache.druid, druid is vulnerable to Weak Authentication. The vulnerability is due to the Kerberos authenticator using a weak fallback secret generated with a non-cryptographically secure RNG when druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, which allows an attacker to...

CVE-2025-59390

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...

EUVD-2025-199714

Apache Druid’s Kerberos authenticator uses a weak fallback secret...

Apache Druid’s Kerberos authenticator uses a weak fallback secret

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...

GHSA-W88F-4875-99C8 Apache Druid’s Kerberos authenticator uses a weak fallback secret

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...

CVE-2025-59390

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...

CVE-2025-59390 Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...

CVE-2025-59390

Apache Druid’s Kerberos authenticator is affected. If the configuration druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, a weak fallback secret is generated with ThreadLocalRandom, which is not cryptographically secure. This can allow an attacker to predict or brute‑force the c...

CVE-2025-59390 Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...

EUVD-2020-0260

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2016-1000236

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used. CVE-2016-1000236 Note that Nessus relies on the presence o...

CVE-2020-1926

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8...

Sensitive Information Exposure

Apache Hive is vulnerable to Sensitive Information Exposure. The vulnerability is due to inadequate handling of signature mismatches due to exposing the correct cookie signature to end users when there is a mismatch between the current and expected signature, potentially enabling further...

GHSA-77PM-W3HX-F8MJ Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s servic...

CVE-2024-23945 Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s servic...

Apache Hive Information Exposure and Observable Timing Discrepancy

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8...

GHSA-54G4-5CF6-HJP3 Apache Hive Information Exposure and Observable Timing Discrepancy

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8...