org.webjars.npm:bazel__typescript (=1.7.0), org.webjars.npm:cesium (>=1.96.0 <=1.137.0) +13 more potentially affected by CVE-2026-44290 via org.webjars.npm:protobufjs (>=6.11.3 <=8.0.0)

org.webjars.npm:protobufjs MAVEN version =6.11.3, =1.96.0, =1.0.0, =1.0.0, =10.13.0, =4.7.0, =0.3.35, =1.6.1, =0.5.2, =0.7.15 - org.webjars.npm:tiktok-live-connector =1.0.2 Source cves: CVE-2026-44290 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16643420...

GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

Improper neutralization of special elements in output used by a downstream component 'injection' in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network...

GHSA-Q7RR-3CGH-J5R3 vulnerabilities

Vulnerabilities for packages: librechat, langfuse-fips, langfuse, gemini-cli, kibana...

Operation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware

Operation HumanitarianBait uses fake aid documents, GitHub-hosted payloads, and Python spyware to target Russian-speaking victims...

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP , the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to inclu...

CVE-2026-45715

creationtimestamp| type| source ---|---|--- 2026-05-12 10:25:47+00:00| published-proof-of-concept| https://github.com/Budibase/budibase/security/advisories/GHSA-fgqv-jh4g-pvg2...

GHSA-CH7G-FXCX-CG7X vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-C7M2-HHFC-83RM vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-7MFJ-42PQ-P327 vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-Q2VM-C2RH-9GWX vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-2CVQ-G96P-GGFW vulnerabilities

Vulnerabilities for packages: chromium...

CVE-2026-44899

creationtimestamp| type| source ---|---|--- 2026-05-12 06:06:53+00:00| published-proof-of-concept| https://github.com/lepture/mistune/security/advisories/GHSA-ccfx-mfmx-2fx9 2026-06-03 12:25:07+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mnf44csazq2j...

CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

GHSA-G7CV-RXG3-HMPX Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Summary On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow...

CVE-2026-45321

CVE-2026-45321 is a real npm supply-chain attack affecting 42 TanStack packages where 84 malicious releases were published within ~6 minutes using a legitimate GitHub Actions OIDC trusted-publisher binding. The malicious router_init.js payload exfiltrated credentials (GitHub tokens, cloud keys, S...

EUVD-2026-29352

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

CVE-2026-45321 Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

CVE-2026-45321 Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

PT-2026-39905

Name of the Vulnerable Software and Affected Versions TanStack packages affected versions not specified Description A supply chain attack known as Mini Shai-Hulud targeted 42 @tanstack/ packages, resulting in the publication of 84 malicious versions to the npm registry. The attacker gained...