CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/05/21 8:17 a.m.•7 views

Malicious code in oh-langfuse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b94251e0353c83033676a5e7b3a5c2b039b3e79914adda00d48aea70750a25bf The package's documented oh-langfuse setup command defaults LANGFUSEBASEURL to the bare-IP plaintext endpoint http://120.46.221.227:3000 bin/cli.js...

6AI score

OSV•added 2026/05/21 8:17 a.m.•2 views

MAL-2026-4625 Malicious code in oh-langfuse (npm)

6AI score

OSV•added 2026/05/21 4:39 a.m.•2 views

MAL-2026-4472 Malicious code in @zhengshuo888/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab On npm install, the package's postinstall hook runs node bin/huoke.js install-skill, which uses execSync to invoke curl -fsSL against...

OSV•added 2026/05/21 4:36 a.m.•2 views

MAL-2026-4573 Malicious code in git-userhub (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 859f77ac10aa89722823e0477f8f6986db2b54dd25b1b2aedb05ee31d5891071 Package name 'git-userhub' is a lookalike of a GitHub-related identity, with no legitimate publisher backing. The package.json declares a postinstall...

6.4AI score

OSSF Malicious Packages•added 2026/05/21 4:36 a.m.•6 views

Malicious code in git-userhub (npm)

6.4AI score

OSSF Malicious Packages•added 2026/05/21 3:48 a.m.•7 views

Malicious code in @atlisp/mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5f4a9667f0a13220de9b838fde4fc16bd5aaa7f79d91f1122725e4799582515 The package's MCP server auto-injects a LISP bootstrap into every CAD command sent through cadSend/cadSendWithResult, plus connectcad's initAtlisp an...

6.3AI score

OSV•added 2026/05/21 3:48 a.m.•4 views

MAL-2026-4365 Malicious code in @atlisp/mcp (npm)

6.3AI score

OSSF Malicious Packages•added 2026/05/21 1:33 a.m.•6 views

Malicious code in @zentrix23/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00e60d3c1f2afd09e236dc4a5ae0cf2373029e6c62c4f7a9c571b13c2da01cd7 This package is a fork of @whiskeysockets/baileys with an undocumented modification: inside makeNewsletterSocket called unconditionally by...

OSSF Malicious Packages•added 2026/05/21 12:0 a.m.•7 views

Malicious code in defi-threat-scanner (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

OSV•added 2026/05/21 12:0 a.m.•4 views

MAL-2026-4219 Malicious code in wallet-security-checker (npm)

OSV•added 2026/05/21 12:0 a.m.•5 views

Exploits0References14

MAL-2026-4207 Malicious code in eth-wallet-sentinel (npm)

OSSF Malicious Packages•added 2026/05/21 12:0 a.m.•6 views

Malicious code in wallet-security-checker (npm)

OSSF Malicious Packages•added 2026/05/21 12:0 a.m.•2 views

Exploits0References14

Malicious code in crypto-credential-scanner (npm)

5.9AI score

Positive Technologies•added 2026/05/21 12:0 a.m.•4 views

PT-2026-42668

📋 Reframing 2026-05-02: implicit unsafe remote-code path, not "supply-chain" The accurate description of this vulnerability is: "get model arch and related helpers hardcode trust remote code=True with no opt-out, creating an implicit unsafe remote-code load path on every model fetch." What this...

7.8CVSS6.5AI score

Exploits0References5

OSSF Malicious Packages•added 2026/05/21 12:0 a.m.•6 views

Malicious code in chain-key-validator (npm)

OSSF Malicious Packages•added 2026/05/20 11:55 p.m.•5 views

Malicious code in claude-internal-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24a94a290c15f2b6cdaf351590455cd597bb2881f7bbcf1609fbfbd8031e491f Package name impersonates an internal Anthropic 'claude-' namespace and the description field self-identifies as 'Alex Birsan Style'...

5.9AI score

OSSF Malicious Packages•added 2026/05/20 10:20 p.m.•5 views

Malicious code in solidity-deploy-guard (npm)

OSSF Malicious Packages•added 2026/05/20 8:46 p.m.•6 views

Exploits0References15

Malicious code in chain-async-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6 chain-async-test impersonates the legitimate chain-async library copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; t...

6.2AI score

OSV•added 2026/05/20 8:40 p.m.•6 views

MAL-2026-4705 Malicious code in vite-json-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd The package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths createMatchPath, matchFromAbsolutePaths,...

6.3AI score