Malicious code in @antv/path-util (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack

Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa1c16 that was published on December 17, 2025 or previously," th...

OESA-2026-1698 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

CLSA-2026-1772124479 golang: Fix of 7 CVEs

Update to Go 1.25.7 - CVE-2025-61726: fixed DoS due to memory exhaustion flaw in net/url parameter parsing - CVE-2025-61732: fixed RCE via code smuggling flaw in cgo comment parsing - CVE-2025-68121: fixed security bypass in TLS where session resumption could ignore revoked or expired client...

CVE-2025-68119

A flaw was found in Golang's cmd/go module. This vulnerability allows a local attacker to achieve local code execution by downloading and building modules with specially crafted malicious version strings. On systems with Mercurial hg installed, this can occur when downloading modules from...

Google Go Code Execution Vulnerability (CNVD-2026-10650)

Google Go is a static strongly typed, compiled, concatenated, and garbage-collected programming language from Google. A code execution vulnerability exists in Google Go due to an insecure construction of external VCS commands when handling untrusted module sources or malicious version strings in...

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

AZL-78939 CVE-2025-68119 affecting package golang 1.25.7-1

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

AZL-75639 CVE-2025-68119 affecting package msft-golang for versions less than 1.24.12-1

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

AZL-75728 CVE-2025-68119 affecting package golang for versions less than 1.25.6-1

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

UBUNTU-CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2025-68119 Unexpected code execution when invoking toolchain in cmd/go

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

EUVD-2025-206446

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2025-68119

CVE-2025-68119 describes local code execution and arbitrary-file writes when downloading/building modules with malicious version strings in environments where external VCS tools are present. Specifically: on systems with Mercurial (hg), downloading modules from non-standard sources (e.g., custom ...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection. Go Vulnerability Report: Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g...

GO-2026-4338 Unexpected code execution when invoking toolchain in cmd/go

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

node-error-ex 安全漏洞

node-error-ex is a library by Josh Junon Personal Developer. A security vulnerability exists in node-error-ex version 1.3.3, which stems from a phishing attack resulting in an account takeover, and a malicious version that contains a specially crafted payload that could redirect cryptocurrency...

Malicious code in azps (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a6c955269826233e665b0f2e27c31b025ab3e5ab1ff1a46049d06df4c02d5a48 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...