MAL-2025-47554 Malicious code in finos-legend (npm)

The package finos-legend was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d52237f76bf811889cf1da6bfa8df5deacc81e076c88890187022381ae951370 Any computer that has this package installed or running should be considered fully...

Malicious Package

Overview finos-legend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in finos-legend (npm)

The package finos-legend was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d52237f76bf811889cf1da6bfa8df5deacc81e076c88890187022381ae951370 Any computer that has this package installed or running should be considered fully...

Sensitive Data Exposure

@finos/git-proxy is vulnerable to sensitive data exposure. The vulnerability is due to improper validation of commits in the pack sent to GitHub, which allows an attacker to inject unreferenced commits containing sensitive data and retrieve them via direct commit URLs without appearing in the...

Malicious File Parsing

@finos/git-proxy is vulnerable to malicious file parsing. The vulnerability is due to improper PACK signature detection in parsePush.ts, which allows an attacker to embed misleading signatures in commit content and craft packet structures to bypass approval or hide commits...

CVE-2025-54586

creationtimestamp| type| source ---|---|--- 2025-07-30 15:27:15+00:00| published-proof-of-concept| https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g...