9 matches found
CVE-2026-42575
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...
Malicious code in hapi-prosthetics-thermochronology-galaxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3945b57156407a7defb56a483e3d506c0a307663ac840d78caefe669db00c55b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in aquarius-slidev-equinox-procyon (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa0b4b93c5880a11a602e472cc9f2c1f1a2fb41779b5d28d02295ae6d2c12554 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in sedna-cypress-dagda-slidev (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a9480eb72fd64424dc78d7a68c04b3407ef3bb591d0550aee3bb1b56a326f38 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in rational_canid_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cdc439f80cf95fb2bf2c952177671ec831268aec7ee803dba3f35a55f3f9dfc5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2019-3153
Malware in sbrugna...
EUVD-2022-33583
Malicious code in bioql PyPI...
picklescan 安全漏洞
picklescan is a security scanning program by the individual developer Matthieu Maitre. A security vulnerability exists in versions of picklescan prior to 0.0.21, which stems from not treating pip as an insecure global variable, which could lead to a malicious model introducing a malicious PyPI...
GHSA-9F3P-WVJ7-Q82X Cargo prior to Rust 1.26.0 may download the wrong dependency
Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the package configuration key. Usage of the package key to rename dependencies in Cargo.toml is ignored in Rust 1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency,...