99 matches found
Malicious code in kuaishou (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1d5daf09cc7bfff164e60bf5abd0a1b374b5bb616f0a78cac8f6c6ea613608 The package's prepare lifecycle script, which runs automatically on npm install, collects host, user, and platform identifiers along with the full...
Malicious code in nonenull1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — !node...
MAL-2026-7024 Malicious code in none123s (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c28e7ef260830adb9561488c487960b12e00bd6939daf8ed8e3a239ec9530699 package.json declares a prepare lifecycle script node index.js || true that auto-executes on npm install. index.js reads canonical installer-secret...
Malicious code in hey-base32 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517 The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point bin/hey-base32.js starts a remote-access tunnel on...
MAL-2026-5398 Malicious code in hey-base32 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517 The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point bin/hey-base32.js starts a remote-access tunnel on...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
GHSA-QR28-P3WR-MXQ3 ngrok is Vulnerable to Command Injection
ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection...
@addtodoist/twitter-autohook (=2.2.0), @alessiodf/core-chameleon (=0.0.1) +156 more potentially affected by CVE-2025-57282 via ngrok (=4.3.3)
ngrok NPM version =4.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on ngrok and may be impacted: - @addtodoist/twitter-autohook =2.2.0 - @alessiodf/core-chameleon =0.0.1 - @archer-edu/qa-test-cli =0.1.0, =0.1.1, =3.8.2, =3.0.0, =3.0.0-alpha.9, =1.0....
5htp-airtable (>=0.0.1 <=0.1.2-3), @a-cube-io/ereceipts-js-sdk (=1.1.0) +147 more potentially affected by CVE-2025-57282 via ngrok (=5.0.0-beta.2)
ngrok NPM version =5.0.0-beta.2 is affected by a known vulnerability. The following packages have a transitive dependency on ngrok and may be impacted: - 5htp-airtable =0.0.1, =1.0.0, =5.0.0, =1.0.0, =3.1.6, =1.4.4, =1.0.0, =1.3.2, =1.0.31, =1.0.0, =1.0.26, =1.0.2, =1.1.0 and more Source cves:...
ngrok is Vulnerable to Command Injection
ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
PT-2026-41678
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
CVE-2025-57282
CVE-2025-57282 affects ngrok v4.3.3 and 5.0.0-beta.2 and is described as vulnerable to Command Injection. The connected documents confirm the affected software and the vulnerability class but do not provide exploitation details, root cause specifics, or remediation steps beyond what is stated. No...
EUVD-2025-209888
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
ngrok 命令注入漏洞
Ngrok is a security internal network penetration and application access platform developed by the US company Ngrok. Versions 4.3.3 and 5.0.0-beta.2 of Ngrok contain command injection vulnerabilities, which are vulnerable to command injection attacks...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
GHSA-52CQ-7V8R-62C6 gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense
Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...
gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense
Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...