Malicious code in @djessicatony/folk-mcp-canary (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a504172fe0e456bd96cf7b4f9a6b6dda65dee7bd573833bbf5963b0be7a05ae8 index.js contains a beacon-style exfiltration primitive: a fetch POST at line 60-61 sends process.env data read at lines 30 and 34 to a hardcoded...

Malicious code in @kruzer/lib-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f The published tarball's package.json contains a hardcoded npm registry auth token embedded in the build:publish script: npm publish --tag alpha...

MAL-2026-4401 Malicious code in @kruzer/lib-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f The published tarball's package.json contains a hardcoded npm registry auth token embedded in the build:publish script: npm publish --tag alpha...

PT-2026-42522

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google...

tickets 信任管理问题漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a vulnerability related to trust management. This vulnerability stemmed from hardcoding MySQL database credentials in the loader.php file and submittin...

tickets 信任管理问题漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a vulnerability related to trust management. This vulnerability stemmed from the hardcoded WhitePages reverse phone API key in the wp1.php file, which...

PT-2026-42520

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials host, username, password, database name in import mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration value...

PT-2026-42519

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...

tickets 信任管理问题漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a vulnerability related to trust management. This vulnerability stemmed from hardcoding MySQL database connection credentials in the importmdb.php file...

PT-2026-42521

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

PT-2026-42668

Name of the Vulnerable Software and Affected Versions LMDeploy versions 0.12.3 and earlier Description LMDeploy contains an implicit unsafe remote-code load path because it hardcodes the trust remote code=True parameter when fetching models. This configuration overrides the default-secure stance ...

Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ea4d389a7d7fc1ab1598f69441105d1ebe696d9d5d351f805644bded733fe7e When the OpenClaw gateway loads this plugin and starts its proxy server, code paths in dist/index.js lines 1076 and 1093 schedule outbound WhatsApp...

EUVD-2026-31179

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source...

MAL-2026-4364 Malicious code in @aswinsparky/api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe index.js line 11 issues a fetch to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a...

Malicious code in @aswinsparky/api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cceefd98563e2885501c896472471f2bb20b77103ad99c253775570cae6b4fe index.js line 11 issues a fetch to the hardcoded URL https://api.aswinsparky.qzz.io carrying values read from process.env. The destination is a...

Malicious code in @aledan007/tester (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab03e3eef2f59f358cdaacedf2d9facb12077110c5402ad36aad6e3581e66439 The bundled server file dist/server/index.js contains a hardcoded reference to the attacker-controlled domain https://evil.attacker-example.com...

MAL-2026-4360 Malicious code in @aledan007/tester (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab03e3eef2f59f358cdaacedf2d9facb12077110c5402ad36aad6e3581e66439 The bundled server file dist/server/index.js contains a hardcoded reference to the attacker-controlled domain https://evil.attacker-example.com...

MAL-2026-4507 Malicious code in cb-wallet-http (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8d704c0a6a48da0e2fef8eddcd1f98e7d380c3e19f22753f3df51d9893f60ce Package name mimics Coinbase's internal cb-wallet- namespace to capture dependency-confusion resolutions. On npm install postinstall.js and on...

MAL-2026-4433 Malicious code in @self-evolving-harness/kivo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce31b5c287727dabb5479a114843b06b80bbd75db10d74014a00db80b9b321bd The package's LLM pipeline Kivo.ingest → value-gate → OpenAILLMProvider resolves its endpoint via resolveLlmConfig in...

Malicious code in txdpy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 767f0e720df9d2dd670fc9c607db01794649653be89daa42f01dfe34a69a8ecd The package exports a 发送邮件 sendemail function whose default sender, recipient, and SMTP auth code are hardcoded to the author's QQ account. In...