sherlock 操作系统命令注入漏洞

Sherlock is an open-source username search tool developed by Sherlock. Versions of Sherlock prior to 0.16.1 contained a vulnerability related to operating system command injection. This vulnerability originated from the pullrequesttarget trigger in the GitHub Actions workflow...

MAL-2026-4018 Malicious code in @antv/github-config-cli (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4088 Malicious code in @antv/thumbnails (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4058 Malicious code in @antv/layout-wasm (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4078 Malicious code in @antv/s2-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3870 Malicious code in @antv/dipper-component (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/gi-assets-janusgraph (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

GHSA-PMWQ-PJRM-6P5R vulnerabilities

Vulnerabilities for packages: falcoctl, slsa-verifier, vexctl, docker-compose, ko, trivy-operator, cosign, kyverno, zot, goreleaser, skaffold, rekor, zarf, neuvector-sigstore-interface, docker, tkn, flux-source-controller, gh, gitsign, buildkitd, aactl, tekton-chains, kubescape, docker-cli-buildx...

GHSA-CM33-6792-R9FM vulnerabilities

Vulnerabilities for packages: druid, keycloak, apache-nifi, opensearch, strimzi-kafka-operator, spark, management-api-for-apache-cassandra-5.0, apache-pulsar, thingsboard, trino, infinispan, tez, flyway, zipkin, akhq, wildfly, apicurio-registry...

GHSA-MW35-8RX3-XF9R vulnerabilities

Vulnerabilities for packages: tritonserver-backend-vllm-cuda-12.9...

GHSA-V569-HP3G-36WR vulnerabilities

Vulnerabilities for packages: logstash, ruby3.4-rails, ruby3.2-rails...

GHSA-J4XF-2G29-59PH vulnerabilities

Vulnerabilities for packages: deno, rye, wasmcloud, buck2, cargo-c, rustup, wasm-pack, zizmor, qdrant, sccache, pixi...

CVE-2026-3854 Remote code execution via git push option injection in GitHub Enterprise Server

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly...

MAL-2025-191362 Malicious code in @voiceflow/npm-package-json-lint-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcb13f449b9f8582e57b2b30103359ccd3efcbde9b172f827a481af246122211 The package @voiceflow/npm-package-json-lint-config was found to contain malicious code. Source: google-open-source-security...

Malicious code in @bdkinc/knex-ibmi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85cc012fb765319451923141ad4b7e0436b8033482b80dfd67bcc460923c2ae0 The package @bdkinc/knex-ibmi was found to contain malicious code. Source: ghsa-malware...

Malicious code in @faq-component/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cc9231d4632473ef4031ec55df06f361942089d230a511407a1cbdce5716ed7f The package @faq-component/core was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191098 Malicious code in frontity-starter-theme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13b1b354fa335b058cf3b6af9fd24bc83609696da8937e6d103a4bdf3196ec2f The package frontity-starter-theme was found to contain malicious code. Source: ghsa-malware...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...