Malicious Package

Overview @pumpfun-ipfs/sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2026-24003

EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with...

MAL-2025-74412 Malicious code in maya-nasipecel51-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 494e8f065c8d1b17a6553afbb411ee781d5eadc74e3622cd17965e95224d1739 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-63075 Malicious code in galih-nasipecel40-sluey (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4e4d1122d48439cc6af790628077f6093f48540800ad8cfb8645c8754edc5d4b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Apple Blocks $9 Billion in Fraud Over 5 Years Amid Rising App Store Threats

Apple on Tuesday revealed that it prevented over $9 billion in fraudulent transactions in the last five years, including more than $2 billion in 2024 alone. The company said the App Store is confronted by a wide range of threats that seek to defraud users in various ways, ranging from "deceptive...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from an illegitimate context call caused by sleeping in an atomic context at shutdown...

Broken Access Control

org.springframework.security: spring-security-core is vulnerable to Broken Access Control. The vulnerability is due to incorrectly retuning a true return value from the AuthenticationTrustResolver.isFullyAuthenticated method when a null authentication parameter is passed to it. This can result in...

What is Cracktivator software?

Cisco Talos coined the term "Cracktivator software" to reference counterfeit or modified software for pirated versions of Windows applications. One of our teammates, James Nutland, led the research to look into cracked versions of the Microsoft Windows operating system and other Microsoft...

Apple Thwarts $2 Billion in App Store Fraud, Rejects 1.7 Million App Submissions

Apple has announced that it prevented over $2 billion in potentially fraudulent transactions and rejected roughly 1.7 million app submissions for privacy and security violations in 2022. The computing giant said it terminated 428,000 developer accounts for potential fraudulent activity, blocked...

Design/Logic Flaw

SAP NetWeaver ABAP Server and ABAP Platform - versions SAPBASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguo...

Ruby Openssl Allows Incorrect Value Comparison

An issue was discovered in the OpenSSL library in Ruby when two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one...

CVE-2021-27428

GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without...

CVE-2021-27428 GE UR family Unrestricted Upload of File with Dangerous Type

GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without...

Security's Role in Internet Resilience

One aspect of resilience on the internet is that things — notably servers and resources — move around. Sometimes moves are legitimate, such as when a popular site evolves from hosting their own website to moving to a cloud provider to using a CDN to handle the ever-increasing traffic. Sometimes t...

Privilege escalation

The FTL Server tibftlserver and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, TIBCO ActiveSpaces - Enterprise Edition, TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FT...

Gamers beware: The risks of Real Money Trading (RMT) explained

Any game with an online component can be at risk from a practice known as Real Money Trading RMT, where in-game items, artefacts, characters and the like are sold for real money. It’s a big problem for developers, especially in competitive and / or massively multiplayer online role-playing game...

An issue was discovered in the OpenSSL library in Ruby before 2.3.8 2.4.x before 2.4.5 2.5.x before 2.5.2 and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using == depending on the ordering non-equal objects may return true. When the first argument is one character longer than the second or the second argument contains a character that is one less than a character in the same position of the first argument the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

...

CVE-2018-16395

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one...

Security Bulletin: A vulnerability in Ruby affects PowerKVM

Summary PowerKVM is affected by a vulnerability in Ruby. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2018-16395 DESCRIPTION: Ruby could allow a remote attacker to bypass security restrictions, caused by a flaw when comparing two OpenSSL::X509::Name objects using == ...

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private - fluentd

Summary IBM Cloud Private fluentd component is vulnerable to multiple security vulnerabilities Vulnerability Details CVEID: CVE-2018-16396 DESCRIPTION: Ruby could allow a remote attacker to bypass security restrictions, caused by the failure to properly check security controls. By sending a...