11 matches found
MAL-2026-3898 Malicious code in @antv/f2-wordcloud (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
EUVD-2026-24165
Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL...
MAL-2025-49099 Malicious code in @raux/ra-react-big-calendar (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 2a212e56b9bc45f8e1a5ba0e12813f0d333c9d77c3d94b1ec81b8bdd42655580 This package installs a dependency hosted on a custom domain that runs an info stealer during installation. The info stealer focuses on...
Malicious code in @raux/ra-react-big-calendar (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 2a212e56b9bc45f8e1a5ba0e12813f0d333c9d77c3d94b1ec81b8bdd42655580 This package installs a dependency hosted on a custom domain that runs an info stealer during installation. The info stealer focuses on...
Malicious code in @dealmgmt/grid (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 3f1e7bb02af2f24d6a057db349128269908eb7e771722c7cf8aa637d3974058a This package installs a dependency hosted on a custom domain that runs an info stealer during installation. The info stealer focuses on...
Malicious code in @i22/scroll-animation (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1297ada7ed50f62fa70a5afda0a5f25b8e52d052e53dc69c23b9927d6024c15f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in react-airbnb-prettier (npm)
The package react-airbnb-prettier was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 8dfaae080b90705a47740e1ced1edacf0110db947f0f26fdd35e2805a2886d37 This package installs a dependency hosted on a custom domain that...
Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
Impact A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection SSTI can be exploited to perform Git config injection. The vulnerability allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin. With these...
CVE-2024-53983 Server-side request forgery in Backstage Scaffolder plugin
The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection SSTI can be exploited to perform Git config injection. The vulnerability allows an...
CVE-2024-53983 Server-side request forgery in Backstage Scaffolder plugin
The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection SSTI can be exploited to perform Git config injection. The vulnerability allows an...