EUVD-2025-30103

Malicious code in bioql PyPI...

@art-ws/openapi (>=0.1.1 <=0.1.8) potentially affected by unknown CVE via @art-ws/fastify-http-server (>=2.0.15 <=2.0.23)

@art-ws/fastify-http-server NPM version =2.0.15, =0.1.1, =0.1.8 Source cves: unknown CVE Source advisory: OSV:MAL-2025-47378...

@art-ws/fastify-http-server (>=2.0.1 <=2.0.23), @art-ws/openapi (>=0.1.1 <=0.1.8) potentially affected by unknown CVE via @art-ws/http-server (>=2.0.1 <=2.0.20)

@art-ws/http-server NPM version =2.0.1, =2.0.1, =0.1.1, =0.1.8 Source cves: unknown CVE Source advisory: OSV:MAL-2025-47379...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. Compromised versions of this package contain a file called bundle.js that exfiltrates secrets from the user's accounts, including credentials and API tokens. It also downloads malicious files and repackages them...

@art-ws/openapi (>=0.1.1 <=0.1.8) potentially affected by unknown CVE via @art-ws/fastify-http-server (>=2.0.15 <=2.0.23)

@art-ws/fastify-http-server NPM version =2.0.15, =0.1.1, =0.1.8 Source cves: unknown CVE Source advisory: SNYK:JS-ARTWSFASTIFYHTTPSERVER-12744474...