MAL-2025-67258 Malicious code in coherent-chocolate-hoverfly (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8252d5d1c8d869354d4c2f759483dfe611a63eca1ce6ac61a84f919273768f54 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-68505 Malicious code in generous-magenta-hoverfly (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3db0106b2c99d3cc235a0ee8c7ea68fdd4b69f237784dda15181a85f1302a844 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-51358

Malicious code in uniform-amethyst-hoverfly npm...

EUVD-2025-53209

Malicious code in misty-sapphire-hoverfly npm...

Malicious code in uniform-amethyst-hoverfly (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6885fc503fb1a7dcd48cc0af710e525d64636f86c97925ded834ad3d35882391 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-68727 Malicious code in huge-chocolate-hoverfly (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b073ab5e033538e5bde9c2e9e98d860050fde07855eb1cd304efe83812b181fa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-69440 Malicious code in misty-sapphire-hoverfly (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 684df63822d4f0415e2189bb1898899590db165fc99f4ffd8574f57e8774d2c5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-69432 Malicious code in missing-lavender-hoverfly (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 770fba350a2504de5f74450305cf5fd5c8513cd6e3dc741cab3effa3164431c9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-49612

Malicious code in pregnanthoverflyz3n npm...

EUVD-2025-49690

Malicious code in optimistichoverflyz3n npm...

Malicious code in optimistic_hoverfly_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bce7f5ebe412565a34325a4a67549ea462585d8eb970c8d4e92d5e42b99c53da This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in distant_hoverfly_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d943b5df7ca534b49d595c24d956a7688d46a83c81cadc5a2420491754cfcb60 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-48074

Malicious code in distanthoverflyz3n npm...

EUVD-2025-45873

Malicious code in overwhelminghoverflyz3n npm...

EUVD-2025-48289

Malicious code in colouredhoverflyz3n npm...

MAL-2025-58754 Malicious code in sore_hoverfly_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90afc9d5d7fc56d22c7c872e9712ba4031b41862bd8d08eaf01ca1ddff7b2f43 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

VulnCheck KEV: CVE-2025-54123

Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input. The vulnerability exists i...

Improper Authentication

github.com/spectolabs/hoverfly is vulnerable to Improper Authentication. The vulnerability is due to the admin WebSocket endpoint /api/v2/ws/logs not being protected by the same authentication middleware as the REST admin API, which allows an unauthenticated remote attacker to access and stream...

Command Injection

Hoverfly is vulnerable to Command Injection. The vulnerability is due to improper input validation in the middleware endpoint due to the binary and script parameters being passed directly into a system without sanitization. This allows an attacker to supply crafted values for those parameters to...

EUVD-2025-27610

Malicious code in bioql PyPI...