GHSA-MX8G-39Q3-5C79 vulnerabilities

Vulnerabilities for packages: argo-workflows...

MAL-2026-6433 Malicious code in rstreams-shard-util (npm)

The rstreams-shard-util npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...

GHSA-HCXC-WF8J-23HV vulnerabilities

Vulnerabilities for packages: grafana-fips...

Malicious code in executable-stories-formatters (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a6c7977dbc054cdb7fe56da0d2fbd26e2a6fed695deb4263ccbf4adfedd86acb The Miasma malware is a self-propagating worm that spreads across the npm registry by abusing weaponized binding.gyp files to achieve...

sherlock 操作系统命令注入漏洞

Sherlock is an open-source username search tool developed by Sherlock. Versions of Sherlock prior to 0.16.1 contained a vulnerability related to operating system command injection. This vulnerability originated from the pullrequesttarget trigger in the GitHub Actions workflow...

Malicious code in @antv/gi-assets-janusgraph (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4088 Malicious code in @antv/thumbnails (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3870 Malicious code in @antv/dipper-component (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4058 Malicious code in @antv/layout-wasm (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4078 Malicious code in @antv/s2-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4018 Malicious code in @antv/github-config-cli (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

GHSA-PMWQ-PJRM-6P5R vulnerabilities

Vulnerabilities for packages: crossplane, guac, gitlab-runner, ko, skaffold, zarf, goreleaser, bom, aactl, tkn, gitsign, spire-server, policy-controller, docker-cli-buildx, docker, ratify, gh, kubescape, rekor, tekton-chains, slsa-verifier, kyverno, tflint, buildkitd, neuvector-sigstore-interface...

GHSA-CM33-6792-R9FM vulnerabilities

Vulnerabilities for packages: tez, spark, apache-pulsar, trino, apicurio-registry, opensearch, akhq, wildfly, flyway, management-api-for-apache-cassandra-5.0, zipkin, infinispan, thingsboard, keycloak, strimzi-kafka-operator, druid, apache-nifi...

GHSA-MW35-8RX3-XF9R vulnerabilities

Vulnerabilities for packages: tritonserver-backend-vllm-cuda-12.9...

GHSA-V569-HP3G-36WR vulnerabilities

Vulnerabilities for packages: logstash, ruby3.2-rack, ruby3.4-rack, ruby4.0-rack, kube-fluentd-operator, ruby3.4-rails, ruby3.2-rails, ruby3.3-rack...

GHSA-J4XF-2G29-59PH vulnerabilities

Vulnerabilities for packages: rustup, sccache, wasmcloud, rye, zizmor, pixi, qdrant, wasm-pack, cargo-c, deno, buck2...

CVE-2026-3854 Remote code execution via git push option injection in GitHub Enterprise Server

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly...

MAL-2025-191362 Malicious code in @voiceflow/npm-package-json-lint-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcb13f449b9f8582e57b2b30103359ccd3efcbde9b172f827a481af246122211 The package @voiceflow/npm-package-json-lint-config was found to contain malicious code. Source: google-open-source-security...

Malicious code in @bdkinc/knex-ibmi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85cc012fb765319451923141ad4b7e0436b8033482b80dfd67bcc460923c2ae0 The package @bdkinc/knex-ibmi was found to contain malicious code. Source: ghsa-malware...

Malicious code in @faq-component/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cc9231d4632473ef4031ec55df06f361942089d230a511407a1cbdce5716ed7f The package @faq-component/core was found to contain malicious code. Source: ghsa-malware...