Malicious code in @antv/f2-canvas (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

CVE-2024-35238

Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service DoS attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that...

CVE-2024-35238

Summary: Minder by Stacklok (pre-0.0.51) is vulnerable to a DoS caused by the sigstore verifier reading an untrusted response without a size limit. An attacker can cause Minder to fetch attestations from a user-controlled GitHub endpoint (orgs/$owner/attestations/$checksumref) and feed a large re...