Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Authentication Bypass

Overview Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely. Recommendation Upgrade to version 2.0.5 or later...

Sandbox Breakout

Overview Versions of realms-shim prior to 1.2.1 are vulnerable to a Sandbox Breakout. The Realms evaluation function has an option to apply Babel-like transformations to the source code before it reaches the evaluator. One portion of this transform pipeline exposed a primal-Realm object to the...

Denial of Service

Overview Versions of express-fileupload prior to 1.1.6-alpha.6 are vulnerable to Denial of Service. The package causes server responses to be delayed up to 30s in internal testing if the request contains a large filename of . characters. Recommendation Upgrade to version 1.1.6-alpha.6 or later...

Prototype Pollution

Overview Versions of dot-prop before 4.2.1 or 5.1.1 are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation Upgrade to...

Cross-Site Scripting

Overview All versions of hexo-admin are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize rendered markdown, allowing attackers to execute arbitrary JavaScript in a victim's browser if they are able to create new posts. Recommendation No fix is currently available. Consider...

Cross-Site Scripting

Overview Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting XSS. The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. I...

Denial of Service

Overview Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Recommendation Upgrade to version 3.1.13 or later. References GitHub Advisory...

Malicious Package

Overview Versions 1.0.2, 1.0.3, 1.0.4 and 1.0.5 of 8.9.4 contain malicious code as a preinstall script. The package reads the system's SSH keys but does not upload it to a remote server. Recommendation Remove the package from your environment. There is no evidence of further compromise at the...

Malicious Package

Overview Version 0.0.1 of harmlesspackage contains malicious code as a postinstall script. The package printed a message to the console and performed a GET request to a remote server. Recommendation Remove the package from your environment. There is no evidence of further compromise. References...

Malicious Package

Overview Version 2.0.2 of yoeman-generator contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and...

Malicious Package

Overview All versions of comander contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Recommendation Remove the package...