MAL-2026-4669 Malicious code in shiroai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cde2f64fd59e62071433f92eab83a4817f0b306ff1735aa8c31ae31dcaf9830 shiroai is advertised as a CLI where the installer authenticates with their own API key via shiroai login . In practice, cli.js ignores any...

MAL-2026-4457 Malicious code in @tmecontinue/claude (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0813d6ca6de1573ab8f99aae08444e589f4c5751931e4b18812140f720b74239 Package self-describes as a 'Reverse-engineered Anthropic Claude Code CLI' and impersonates the legitimate @anthropic-ai/claude-code bin name...

Malicious code in @kruzer/lib-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f The published tarball's package.json contains a hardcoded npm registry auth token embedded in the build:publish script: npm publish --tag alpha...

MAL-2026-4401 Malicious code in @kruzer/lib-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f The published tarball's package.json contains a hardcoded npm registry auth token embedded in the build:publish script: npm publish --tag alpha...

MAL-2026-4459 Malicious code in @touchvue/chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0921a05dced95d8d0bb5d99de362f67e4e67832874fb0b4391629f5dfe6e926d The published tarball's chat components AiChat/Chat/useSSE.js and AiChat/ChatInput.vue2.js ship with hardcoded defaults that point the chat backend a...

Malicious code in cheaty-sync-bot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45b192c71c59ccca1d9cc720372bd29f39eae8b5da4d572cd1e8312d6b57d6b4 cheaty-sync-bot ships a clipboard-sync CLI that hardcodes a single Telegram bot token index.js:10 owned by the package author. There is no...

MAL-2026-3674 Malicious code in 66o (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3ba0e9f968d627812a2a4efbb8631d3400b6c19692c7668c8e511e2808aaa62 On require, index.js replaces the global console object with a Proxy index.js:36-73 that intercepts console.error/info/warn calls anywhere in the hos...

CVE-2026-42869

SOCFortress CoPilot prior to version 0.1.57 ships a hardcoded JWT signing secret as a fallback in backend/app/auth/utils.py:28 and includes it in .env.example. If JWT_SECRET is not explicitly set (including default Docker Compose deployments), tokens are signed with this public value, allowing an...

PT-2026-39734

Name of the Vulnerable Software and Affected Versions SOCFortress CoPilot versions prior to 0.1.57 Description The application contains a hardcoded JSON Web Token JWT signing secret used as a fallback value in the backend/app/auth/utils.py file and the .env.example file. In deployments where the...

GHSA-32CC-X95P-FXCG FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration

Description An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This...

CVE-2025-68926

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable...

RustFS has a gRPC Hardcoded Token Authentication Bypass

Vulnerability Overview Description RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is: 1. Publicly exposed in the source code repository 2. Hardcoded on both client and server sides 3. Non-configurable with no mechanism for token rotation 4. Universally vali...

EUVD-2025-205801

RustFS has a gRPC Hardcoded Token Authentication Bypass...

GHSA-H956-RH7X-PPGJ RustFS has a gRPC Hardcoded Token Authentication Bypass

Vulnerability Overview Description RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is: 1. Publicly exposed in the source code repository 2. Hardcoded on both client and server sides 3. Non-configurable with no mechanism for token rotation 4. Universally vali...

CVE-2025-68926

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable...

CVE-2025-68926

CVE-2025-68926 – RustFS hardcoded gRPC token authentication bypass . Affected RustFS versions prior to 1.0.0-alpha.78 expose a publicly visible hardcoded token, “rustfs rpc”, used for gRPC authentication on both client and server. The token is non-configurable and identical across deployments, en...

CVE-2025-68926 RustFS has a gRPC Hardcoded Token Authentication Bypass

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable...

CVE-2025-68926 RustFS has a gRPC Hardcoded Token Authentication Bypass

RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.78, RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable...

PT-2025-54203

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.77 Description RustFS, a distributed object storage system built in Rust, uses a hardcoded static token, "rustfs rpc", for gRPC authentication in versions prior to 1.0.0-alpha.77. This token is publicly...

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge valid JWT tokens, leading to authentication bypass and unauthorized access to any user account...