MAL-2026-5751 Malicious code in oh-my-ashclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector daf0a5a6234cbf55718057017cbe143ab41ad1aaf7964ebfaab6dfe12703b005 On npm install, the package's postinstall hook .prepare.cjs executes and harvests installer-side data: hostname, username, OS/arch, Node version, all...

Lark Technologies: SSRF with information disclosure

A SSRF server side request forgery vulnerability was identified in the messenger endpoint of Lark Suite which could have exposed internal credentials used by the server. We thank @jin0ne for reporting this to our team...

Lark Technologies: Stealing app credentials by reflected xss on Lark Suite

A reflected cross-site scripting XSS vulnerability was found on a Lark Suite endpoint via the 'next' parameter which an attacker could have potentially used to obtain app credentials must first know the app ID. We have resolved this issue and thank @imrannisar for reporting this to our team...

Lark Technologies: Reflected XSS on Lark Suite

A reflected cross-site scripting XSS vulnerability was found at the Lark Suite log-in endpoint via the redirecturi parameter which could have potentially allowed an attacker to inject malicious code. We thank @jin0ne for reporting this to our team and confirming the resolution...

Lark Technologies: Server Side Request Forgery

A SSRF server side request forgery vulnerability was found in the chat feature of Lark Suite on MacOS, which could have potentially been used to access services and web applications running on the internal network. We thank @jin0ne for reporting this to our team and confirming the resolution...