Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Authentication Bypass

Overview Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely. Recommendation Upgrade to version 2.0.5 or later...

Sandbox Breakout

Overview Versions of realms-shim prior to 1.2.1 are vulnerable to a Sandbox Breakout. The Realms evaluation function has an option to apply Babel-like transformations to the source code before it reaches the evaluator. One portion of this transform pipeline exposed a primal-Realm object to the...

Denial of Service

Overview Versions of express-fileupload prior to 1.1.6-alpha.6 are vulnerable to Denial of Service. The package causes server responses to be delayed up to 30s in internal testing if the request contains a large filename of . characters. Recommendation Upgrade to version 1.1.6-alpha.6 or later...

Prototype Pollution

Overview Versions of dot-prop before 4.2.1 or 5.1.1 are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation Upgrade to...

Cross-Site Scripting

Overview All versions of hexo-admin are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize rendered markdown, allowing attackers to execute arbitrary JavaScript in a victim's browser if they are able to create new posts. Recommendation No fix is currently available. Consider...

Cross-Site Scripting

Overview Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting XSS. The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. I...

Denial of Service

Overview Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Recommendation Upgrade to version 3.1.13 or later. References GitHub Advisory...

Malicious Package

Overview Versions 1.0.2, 1.0.3, 1.0.4 and 1.0.5 of 8.9.4 contain malicious code as a preinstall script. The package reads the system's SSH keys but does not upload it to a remote server. Recommendation Remove the package from your environment. There is no evidence of further compromise at the...

Malicious Package

Overview Version 0.0.1 of harmlesspackage contains malicious code as a postinstall script. The package printed a message to the console and performed a GET request to a remote server. Recommendation Remove the package from your environment. There is no evidence of further compromise. References...

Malicious Package

Overview Version 2.0.2 of yoeman-generator contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and...

Malicious Package

Overview All versions of comander contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Recommendation Remove the package...

Malicious Package

Overview Version 1.0.3 of bmap contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.3 of this module is found installed you wi...

Sandbox Breakout

Overview Versions of realms-shim prior to 1.2.0 are vulnerable to a Sandbox Breakout. Reflect.construct can be used on the sandboxed Function constructor to reach the prototypes of the primal Realm, which may allow an attacker to escape the sandbox and execute arbitrary code. Recommendation Upgra...

Sandbox Breakout

Overview Versions of realms-shim prior to 1.2.0 are vulnerable to a Sandbox Breakout. The package's confined evaluator depended upon correct behavior of the spread operator a = ...b, ...c, which could be modified by the confined code. This may allow an attacker to escape the sandbox and run...

Cryptographically Weak PRNG

Overview Versions of generator-jhipster use a Cryptographically Weak PRNG that may lead to account takeover. The package uses a cryptographically insecure method to generate password reset links, which allows an attacker to guess password reset links and takeover accounts. Recommendation Update t...

Machine-In-The-Middle

Overview Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept...

Sandbox Breakout

Overview Versions of realms-shim prior to 1.2.0 are vulnerable to a Sandbox Breakout. The package's core evaluator, which must switch between "unsafe mode" and "safe mode" for each call, could be left in "unsafe mode" if an attacker is able to force a RangeError in a specific timeframe. This woul...