CVE-2026-45256 Missing permission check in thr_kill2(2)

When used to deliver a signal to a specific thread, thrkill22 called pcansignal to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to th...

Malicious code in @carvana.authentication-flows/shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78538bf70d1ebd3e4cd784d90b3961ea7966ce9b97e8124110374cad95c0b894 package.json declares a preinstall hook node index.js that runs unconditionally on npm install. index.js imports childprocess/os/https, collects host...

MAL-2026-6521 Malicious code in @carvana.authentication-flows/shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78538bf70d1ebd3e4cd784d90b3961ea7966ce9b97e8124110374cad95c0b894 package.json declares a preinstall hook node index.js that runs unconditionally on npm install. index.js imports childprocess/os/https, collects host...

Malicious code in express-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003 On module load, index.js auto-invokes initPlugin, which HTTP-GETs https://jsonkeeper.com/b/PRA3O, parses the JSON response, and passes the response's...

MAL-2026-6523 Malicious code in express-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003 On module load, index.js auto-invokes initPlugin, which HTTP-GETs https://jsonkeeper.com/b/PRA3O, parses the JSON response, and passes the response's...

CVE-2026-52952

A flaw was found in the Linux kernel's Input/Output Memory Management Unit IOMMU subsystem, which manages how devices access system memory. A race condition, a situation where multiple operations occur in an unpredictable order, exists during device recovery when multiple memory domains are being...

PYSEC-2026-235 Malicious code in ppkt2synergy (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of ppkt2synergy were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials an...

Malicious code in ppkt2synergy (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of ppkt2synergy were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

PYSEC-2026-234 Malicious code in phenopacket-store-toolkit (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of phenopacket-store-toolkit were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates...

Malicious code in phenopacket-store-toolkit (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of phenopacket-store-toolkit were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates...

CVE-2026-53914

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata...

Malicious code in ts-einkle (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8 [email protected] ships a comprehensive installer-side stealer in its main module peer-math.js. On require, syncSession runs a chain packProjectBundle,...

MAL-2026-6524 Malicious code in ts-einkle (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8 [email protected] ships a comprehensive installer-side stealer in its main module peer-math.js. On require, syncSession runs a chain packProjectBundle,...

Malicious code in ts-einkle-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b Package is published as ts-einkle-slot but its tarball contents source, README, LICENCE, package.json author/repository/description are copied verbat...

MAL-2026-6525 Malicious code in ts-einkle-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b Package is published as ts-einkle-slot but its tarball contents source, README, LICENCE, package.json author/repository/description are copied verbat...

Malicious code in @epsteinlovekids483/crossmint-wallets-sdk-pentest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e43e5a418541bb3e485010eba536ecc9f1483dba866af53ff4a760684409213 Package's main entry dist/index.cjs unconditionally requires dist/shai-hulud.js at module load. On require, the code harvests installer secrets —...

MAL-2026-6522 Malicious code in @epsteinlovekids483/crossmint-wallets-sdk-pentest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e43e5a418541bb3e485010eba536ecc9f1483dba866af53ff4a760684409213 Package's main entry dist/index.cjs unconditionally requires dist/shai-hulud.js at module load. On require, the code harvests installer secrets —...

Security update for python, python-base, python-doc

This update for python, python-base, python-doc fixes the following issues Security fixes: CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599. CVE-2026-3219: pip doesn't reject concatenated ZIP...

SUSE-SU-2026:2664-1 Security update for python, python-base, python-doc

This update for python, python-base, python-doc fixes the following issues Security fixes: - CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599. - CVE-2026-3219: pip doesn't reject concatenated ZIP...

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Use after free in Microsoft Edge Chromium-based allows an authorized attacker to execute code over a network...