Malicious Package

Overview @pcldpvkoewpogw/testhacker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

org.apache.logging.log4j:log4j-layout-template-json-test (>=3.0.0-alpha1 <=3.0.0-beta2), software.airborne.kairo:kairo-alternative-money-formatters (=5.0.0) +29 more potentially affected by CVE-2026-34481 via org.apache.logging.log4j:log4j-layout-template-json (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-layout-template-json MAVEN version =3.0.0-alpha1, =3.0.0-alpha1, =3.0.0-beta2 - software.airborne.kairo:kairo-alternative-money-formatters =5.0.0 - software.airborne.kairo:kairo-clock-feature =5.0.0 - software.airborne.kairo:kairo-closeable =5.0.0 -...

PYSEC-2026-2 Two litellm versions published containing credential harvesting malware

After an API Token exposure from an exploited Trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. The malicious code runs during importing any module from the...

DEBIAN-CVE-2026-4693

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9...

Malicious Package

Overview chai-as-constrained is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +694 more potentially affected by CVE-2025-14287 via mlflow (>=3.0.0rc2 <=3.6.0rc0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-14287 Source advisory: SNYK:PYTHON-MLFLOW-15674468...

@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)

sequelize NPM version =6.0.0-beta.4, =0.0.1-alpha.1, =0.0.1-alpha.1, =0.0.1-alpha.2, =0.0.1-alpha.2, =0.0.1-alpha.2, =1.2.3, =1.0.0, =15.0.0, =1.0.0, =0.18.0, =5.0.0-alpha.3, =13.5.0, =1.0.70, =1.0.155 and more Source cves: CVE-2026-30951 Source advisory: SNYK:JS-SEQUELIZE-15456219...

africa.absa:inception-application (>=1.0.0 <=1.2.0), app.fmgp:scala-did-docs_3 (>=0.1.0-M16 <=0.1.0-M33) +2472 more potentially affected by CVE-2024-3884 via io.undertow:undertow-core (>=2.0.0.Alpha1 <=2.2.38.Final)

io.undertow:undertow-core MAVEN version =2.0.0.Alpha1, =1.0.0, =0.1.0-M16, =1.0.0, =1.0.1, =1.0.2, =1.0.0, =1.2.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2024-3884 Source advisory: SNYK:JAVA-IOUNDERTOW-15053841...

MAL-2025-191567 Malicious code in chai-sync (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f58d95adcd5fd2dce29ac379c47d6b4ca7239ae5d1eb53d06617067cc7623938 The package chai-sync was found to contain malicious code...

EUVD-2025-149206

Malicious code in teagood-nalikoli50 npm...

ai.ancf.lmos-router:benchmarks (>=0.2.0 <=0.28.0), ai.ancf.lmos-router:lmos-router-hybrid (>=0.2.0 <=0.28.0) +21922 more potentially affected by CVE-2025-58057 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.124.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.1.1, =0.1.1, =0.1.1, =0.0.4, =0.6.0 - ai.ancf.lmos:lmos-router-hybrid =0.1.0 - ai.ancf.lmos:lmos-router-hybrid-spring-boot-starter =0.1.0 - ai.ancf.lmos:lmos-router-llm =0.1.0 -...

Linux Distros Unpatched Vulnerability : CVE-2023-49092

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through...

MAL-2025-12844 Malicious code in @zalastax/nolb-osc (npm)

The package @zalastax/nolb-osc was found to contain malicious code...

MAL-2025-14982 Malicious code in asymc (npm)

The package asymc was found to contain malicious code...

rs265_text-based-adventure-game (>=1.0.4 <=1.0.6) potentially affected by unknown CVE via halk (=0.0.1-security)

halk NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on halk and may be impacted: - rs265text-based-adventure-game =1.0.4, =1.0.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-22133...

MAL-2025-10301 Malicious code in @zalastax/nolb-_p0 (npm)

The package @zalastax/nolb-p0 was found to contain malicious code...

MAL-2025-13869 Malicious code in @zittertea/excepturi-laboriosam-vitae-atque (npm)

The package @zittertea/excepturi-laboriosam-vitae-atque was found to contain malicious code...

MAL-2025-15204 Malicious code in avior-cygnus-borealis-acamar (npm)

The package avior-cygnus-borealis-acamar was found to contain malicious code...

MAL-2025-12619 Malicious code in @zalastax/nolb-node-cw (npm)

The package @zalastax/nolb-node-cw was found to contain malicious code...

MAL-2025-10244 Malicious code in @zalastax/nolb-_myb (npm)

The package @zalastax/nolb-myb was found to contain malicious code...