02strich-markdown (>=1.0.0 <=1.0.2), @0xintuition/slang-cli (>=0.0.1 <=0.0.8) +1947 more potentially affected by CVE-2026-26996 via minimatch (>=4.1.1 <=4.2.3)

minimatch NPM version =4.1.1, =1.0.0, =0.0.1, =0.5.2, =5.0.2, =2.2.0, =1.1.4, =1.3.1, =1.0.0, =0.0.2-alpha-20220914223128-d706aab, =0.0.2-alpha-20220915073207-1bb0680, =0.0.2-alpha-20220914223128-d706aab, =1.1.8, =1.0.0, =1.5.0 and more Source cves: CVE-2026-26996 Source advisory:...

GHSA-HG6J-8H7M-3W3J vulnerabilities

Vulnerabilities for packages: nodejs...

@mapbox/vnu-validate-html (=0.1.0), @northernbeat/gulp-tasks (>=1.0.48 <=1.0.50) +34 more potentially affected by CVE-2025-15104 via vnu-jar (>=16.12.27 <=26.5.9)

vnu-jar NPM version =16.12.27, =1.0.48, =1.0.3, =0.9.0, =0.1.1, =0.7.0, =0.1.2, =0.6.0, =8.1.0, =9.1.1, =1.0.0, =1.1.2, =2.0.0 and more Source cves: CVE-2025-15104 Source advisory: SNYK:JS-VNUJAR-15010791...

MAL-2025-110353 Malicious code in various_felidae_0xrequest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 192db8248b5bd7ab85aa1d49fdd41e25e957a3e159235072e672ccddd0e542b4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-96741 Malicious code in squealing_marsupial_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1ddd1a6334392affe3da552019d40cce69c508983fa094a21ea1abe9a54c0d79 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious Package Injection

DuckDB is vulnerable to malicious package injection. The vulnerability is due to unauthorized access and compromise of the npm package publishing process, which allowed an attacker to upload malicious versions of DuckDB’s Node.js packages containing code that interfered with cryptocurrency...

Self-Replicating Worm Hits 180+ Software Packages

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub , experts warn. The malware, which briefly infected multiple code packages from the securit...

Security Bulletin: Security Vulnerabilities in node.js packages affect IBM Voice Gateway

Summary Security Vulnerabilities in node.js packages affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is...

Fake npm Website Used to Push Malware via Stolen Token

Fake npm website used in phishing attack to steal maintainer token, leading to malware in popular JavaScript packages like eslint-config-prettier...

Malicious code in selfhydrastudycc (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 5dc2e2dddc8d4486e55f7c130ba6fd3d65a25aa9af3d922742d15fc493654c3d EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in libcontrolstringcc (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 1de0ff9d0e3ff3ecbad9399eafeb06b97512af63db496dcbb358a57b2cd6dc26 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in tpstrpeplgtb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx fd90f892727d0f1648c10f09ca93b40cfbcf0a6c5bf9cfc4473a497b3a509e07 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in py-maskverstring (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 126ba20c12bc6baa464255aa0876b14c11943fb37ff3d7443c4718c9840aca79 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in esqguipushpong (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 3a37fc418ad336f3a4753276ec2c3c3a7056746e92387f237546616045d1a176 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in esqpongpaypalnvidia (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 17c448a8317405e51b013e0053f06cbf5b38b3725a2a759150a3f04950c53e2f EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in esqmaskvmrandom (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx b79bcf8a171adb586ff2ebdc9c86625e54b2b840a697c27064960c7a75a60147 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in tpencodeinteled (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 24731a673c96b72b89aeadce5a8dc3cb1851bbfbf4d7a57dfbb13b99079778c6 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in py-ccmcstudy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx cf7fb5c5f1304157b31f763d62a65ceca4dbaee8f885a58fda65b70b800dfd69 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in py-toolpipproof (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx af214e967ddbd79e2e0591bd4917cd8b56b1ab6b6c1fcdb9b3c0e73f34f99c27 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in py-paypalsplitpush (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx d3047490c8a4f8aec92d4ada426d5a5c7735e04af28845dcd90968f26777cedf EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...