Malicious Package

Overview @pcldpvkoewpogw/testhacker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

a2cli (>=0.1.0 <=0.2.1), a2py (>=0.2.1 <=0.2.3) +742 more potentially affected by unknown CVE via mistralai (>=2.0.0 <=2.4.5)

mistralai PYPI version =2.0.0, =0.1.0, =0.2.1, =0.1.0, =0.1.0, =0.1.4, =0.1.0, =0.0.1, =0.1.36, =0.1.0, =0.1.0, =0.0.1, =0.1.2 - agentfactory-mcp-server =0.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WX9M-WX4F-4CMG...

org.apache.logging.log4j:log4j-layout-template-json-test (>=3.0.0-alpha1 <=3.0.0-beta2), software.airborne.kairo:kairo-alternative-money-formatters (=5.0.0) +29 more potentially affected by CVE-2026-34481 via org.apache.logging.log4j:log4j-layout-template-json (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-layout-template-json MAVEN version =3.0.0-alpha1, =3.0.0-alpha1, =3.0.0-beta2 - software.airborne.kairo:kairo-alternative-money-formatters =5.0.0 - software.airborne.kairo:kairo-clock-feature =5.0.0 - software.airborne.kairo:kairo-closeable =5.0.0 -...

PYSEC-2026-2 Two litellm versions published containing credential harvesting malware

After an API Token exposure from an exploited Trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. The malicious code runs during importing any module from the...

DEBIAN-CVE-2026-4693

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9...

Malicious Package

Overview chai-as-constrained is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +660 more potentially affected by CVE-2025-14287 via mlflow (>=3.0.0rc2 <=3.6.0rc0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-14287 Source advisory: SNYK:PYTHON-MLFLOW-15674468...

@142vip/egg (>=0.0.1-alpha.1 <=0.0.1-alpha.6), @142vip/egg-axios (>=0.0.1-alpha.1 <=0.0.1-alpha.2) +302 more potentially affected by CVE-2026-30951 via sequelize (>=6.0.0-beta.4 <=6.37.7)

sequelize NPM version =6.0.0-beta.4, =0.0.1-alpha.1, =0.0.1-alpha.1, =0.0.1-alpha.2, =0.0.1-alpha.2, =0.0.1-alpha.2, =1.2.3, =1.0.0, =15.0.0, =1.0.0, =0.18.0, =5.0.0-alpha.3, =13.5.0, =1.0.70, =1.0.155 and more Source cves: CVE-2026-30951 Source advisory: SNYK:JS-SEQUELIZE-15456219...

africa.absa:inception-application (>=1.0.0 <=1.2.0), app.fmgp:scala-did-docs_3 (>=0.1.0-M16 <=0.1.0-M33) +2471 more potentially affected by CVE-2024-3884 via io.undertow:undertow-core (>=2.0.0.Alpha1 <=2.2.38.Final)

io.undertow:undertow-core MAVEN version =2.0.0.Alpha1, =1.0.0, =0.1.0-M16, =1.0.0, =1.0.1, =1.0.2, =1.0.0, =1.2.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2024-3884 Source advisory: SNYK:JAVA-IOUNDERTOW-15053841...

MAL-2025-191567 Malicious code in chai-sync (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f58d95adcd5fd2dce29ac379c47d6b4ca7239ae5d1eb53d06617067cc7623938 The package chai-sync was found to contain malicious code...

EUVD-2025-149206

Malicious code in teagood-nalikoli50 npm...

ai.ancf.lmos-router:benchmarks (>=0.2.0 <=0.28.0), ai.ancf.lmos-router:lmos-router-hybrid (>=0.2.0 <=0.28.0) +21813 more potentially affected by CVE-2025-58057 via io.netty:netty-codec-http (>=4.0.0.Alpha1 <=4.1.124.Final)

io.netty:netty-codec-http MAVEN version =4.0.0.Alpha1, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.1.1, =0.1.1, =0.1.1, =0.0.4, =0.6.0 - ai.ancf.lmos:lmos-router-hybrid =0.1.0 - ai.ancf.lmos:lmos-router-hybrid-spring-boot-starter =0.1.0 - ai.ancf.lmos:lmos-router-llm =0.1.0 -...

Linux Distros Unpatched Vulnerability : CVE-2023-49092

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through...

MAL-2025-10244 Malicious code in @zalastax/nolb-_myb (npm)

The package @zalastax/nolb-myb was found to contain malicious code...

MAL-2025-11237 Malicious code in @zalastax/nolb-du (npm)

The package @zalastax/nolb-du was found to contain malicious code...

MAL-2025-26934 Malicious code in mw-eslint-rules (npm)

The package mw-eslint-rules was found to contain malicious code...

MAL-2025-26031 Malicious code in mayacui (npm)

The package mayacui was found to contain malicious code...

MAL-2025-22784 Malicious code in hugomatic (npm)

The package hugomatic was found to contain malicious code...

MAL-2025-18642 Malicious code in donotinstallthis (npm)

The package donotinstallthis was found to contain malicious code...

MAL-2025-10598 Malicious code in @zalastax/nolb-_ww (npm)

The package @zalastax/nolb-ww was found to contain malicious code...