Malicious code in dynamo-release (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a4e35bea632f7363e7a1cc6ccbfb9227eca2c4720b0a689edc1bc3ce64c9d85c Versions 1.5.4 were compromised. Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed using B...

ai-dynamo (=0.1.0), bentoctl (=0.2.3) +6 more potentially affected by CVE-2026-44345 via bentoml (>=1.0.0a7 <=1.4.3)

bentoml PYPI version =1.0.0a7, =1.0.1, =0.3.12, =0.0.1, =1.0.3, =0.0.10, =0.6.20 - raptor-labsdk =0.3.2 Source cves: CVE-2026-44345 Source advisory: SNYK:PYTHON-BENTOML-16642321...

ai-dynamo (=0.1.0), bentoctl (=0.2.3) +6 more potentially affected by CVE-2026-35043 via bentoml (>=1.0.0a7 <=1.4.3)

bentoml PYPI version =1.0.0a7, =1.0.1, =0.3.12, =0.0.1, =1.0.3, =0.0.10, =0.6.20 - raptor-labsdk =0.3.2 Source cves: CVE-2026-35043 Source advisory: SNYK:PYTHON-BENTOML-15909743...

ai-dynamo (=0.1.0), bento2seldon (>=0.1.0 <=0.4.0) +16 more potentially affected by CVE-2026-27905 via bentoml (>=0.10.1 <=1.4.3)

bentoml PYPI version =0.10.1, =0.1.0, =0.1.0, =0.0.10, =0.0.5, =0.3.12, =0.0.1, =1.0.3, =0.0.10, =0.0.1, =0.0.1, =0.0.13 and more Source cves: CVE-2026-27905 Source advisory: OSV:GHSA-M6W7-QV66-G3MF...

CVE-2026-27695

zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key namespace/ENTITYid. A high-traffic entity can exceed DynamoDB's per-partition throughput limits 1,000 WCU/sec, causing...

Allocation of Resources Without Limits or Throttling

Overview zae-limiter is a Rate limiting library backed by DynamoDB with token bucket algorithm Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the acquire function. An attacker can cause elevated latency and rejected requests for...

CVE-2026-25814

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization...

CVE-2026-25814

PlaciPy (educational placement system) 1.0.0 is affected by a NoSQL injection risk: user-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization. This vulnerability enables tampering with queries, potentially compromising confiden...

CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization...

PlaciPy 注入漏洞

PlaciPy is an open-source employment management system developed by Praskla Technology. It aims to simplify the employment processes for students, trainers, and managers in educational institutions. Version 1.0.0 of PlaciPy contains a vulnerability that stems from unvalidated or unchecked...

ai-dynamo (=0.1.0), bentoctl (=0.2.3) +6 more potentially affected by CVE-2026-24123 via bentoml (>=1.0.0a7 <=1.4.3)

bentoml PYPI version =1.0.0a7, =1.0.1, =0.3.12, =0.0.1, =1.0.3, =0.0.10, =0.6.20 - raptor-labsdk =0.3.2 Source cves: CVE-2026-24123 Source advisory: SNYK:PYTHON-BENTOML-15123972...

ai-dynamo (=0.1.0), bento2seldon (>=0.1.0 <=0.4.0) +16 more potentially affected by CVE-2026-24123 via bentoml (>=0.10.1 <=1.4.3)

bentoml PYPI version =0.10.1, =0.1.0, =0.1.0, =0.0.10, =0.0.5, =0.3.12, =0.0.1, =1.0.3, =0.0.10, =0.0.1, =0.0.1, =0.0.13 and more Source cves: CVE-2026-24123 Source advisory: OSV:GHSA-6R62-W2Q3-48HF...

serde_dynamo (>=3.0.1 <=4.2.8) potentially affected by unknown CVE via aws-sdk-dynamodbstreams (>=0.10.1 <=0.9.0)

aws-sdk-dynamodbstreams CARGO version =0.10.1, =3.0.1, =4.2.8 Source cves: unknown CVE Source advisory: OSV:GHSA-G59M-GF8J-GJF5...

aws-secretsmanager-cache (=0.5.0), dynamo-es (=0.4.5) +1 more potentially affected by unknown CVE via aws-sdk-config (>=0.17.0 <=0.26.0)

aws-sdk-config CARGO version =0.17.0, =0.1.0, =0.1.3 Source cves: unknown CVE Source advisory: OSV:GHSA-G59M-GF8J-GJF5...

EUVD-2025-176346

Malicious code in slides-install-dynamo-dotenv-parse-variables npm...

EUVD-2025-178217

Malicious code in kardashevscale-transport-tailwindcss-dynamo npm...

EUVD-2025-179104

Malicious code in epigenetics-dynamo-jsonp-odin npm...

EUVD-2025-176825

Malicious code in quito-fornax-dynamo-csrf npm...

Malicious code in procyon-json-dynamo-neutrino (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be2e07823e5cce346b257d22926e479c2d0a207460567f6726c84336674fe59f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-179221

Malicious code in dysonswarm-lacerta-unuk-dynamo npm...