36 matches found
CVE-2026-53864 OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...
PT-2026-49781
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.26 Description Insufficient sanitization in the host environment sanitizer allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or...
CVE-2026-53819
OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill...
Malicious code in janus-erc20 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 728f3d5af5a999be016a49283fff2c5cedc0c5df445d2f078f1f9817dde22334 On npm install, postinstall.js harvests installer secrets and POSTs them to 193.203.169.109:8443/c/janus-erc20 over HTTPS with TLS verification...
MAL-2026-5359 Malicious code in swap-sdk-87 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+. postinstall auto-execs, src/index.js harvests /.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 not rotated. Inflated version...
Malicious code in node-ipc (npm)
Three versions of node-ipc 9.1.6, 9.2.3, 12.0.1 were published to npm on May 14, 2026 by a compromised maintainer account atiertant. Each version contains an identical 80KB obfuscated payload appended to node-ipc.cjs that steals over 100 categories of sensitive files SSH keys, cloud provider...
MAL-2026-3744 Malicious code in node-ipc (npm)
Three versions of node-ipc 9.1.6, 9.2.3, 12.0.1 were published to npm on May 14, 2026 by a compromised maintainer account atiertant. Each version contains an identical 80KB obfuscated payload appended to node-ipc.cjs that steals over 100 categories of sensitive files SSH keys, cloud provider...
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
A previously undocumented Linux implant codenamed Quasar Linux RAT QLNX is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and...
Malicious code in period-newline (npm)
Malicious npm package published by threat actor "ryanmccollum1" impersonating a benign text-formatting utility. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git...
MAL-2026-2884 Malicious code in forge-jsx (npm)
forge-jsx is a malicious npm package that impersonates an Autodesk Forge SDK. It was published as a fully-formed RAT from its first version on April 7, 2026. Installing the package on any non-CI machine deploys a persistent background agent that captures all keystrokes, monitors clipboard content...
CVE-2025-61260
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP Model Context Protocol configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads...
CVE-2026-39364 Vite has a `server.fs.deny` bypass with queries
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny e.g., .env, .crt can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are...
Malicious code in strapi-plugin-health-check (npm)
strapi-plugin-health-check is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...
MAL-2026-2459 Malicious code in strapi-plugin-debug-tools (npm)
strapi-plugin-debug-tools is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...
Malicious code in strapi-plugin-finseven (npm)
strapi-plugin-finseven is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topolog...
Malicious code in strapi-plugin-nordica (npm)
strapi-plugin-nordica is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...
Malicious code in strapi-plugin-nordica-deep (npm)
strapi-plugin-nordica-deep is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...
Malicious code in strapi-plugin-nordica-vhost (npm)
strapi-plugin-nordica-vhost is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...
MAL-2026-2480 Malicious code in strapi-plugin-nordica-vhost (npm)
strapi-plugin-nordica-vhost is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...
Malicious code in strapi-plugin-api (npm)
strapi-plugin-api is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. It...