Malicious code in progerss-cli (npm)

progerss-cli is a typosquat of the popular cli-progress package that ships an obfuscated payload executed automatically on install. The package borrows trust from its victim: repository.url is set to https://github.com/npkgz/cli-progress — the legitimate cli-progress project's own repository — an...

Malicious code in aes-decode-runner-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a84e76208311859e852fea114c26e1eff1202eeff9a463707c5ae0deec68725c aes-decode-runner-pro ships an opaque 326-byte AES-GCM ciphertext DEFAULTFINALENCODEDTEXT in src/config/defaults.js along with a hardcoded passphrase...

CVE-2024-21574

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or...

CVE-2024-21574

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or...

CVE-2024-21574

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or...

CVE-2024-21574

The CVE-2024-21574 issue affects the ComfyUI-Manager extension for ComfyUI, caused by missing validation of the pip field in a POST to /customnode/install. This permits an attacker to trigger a pip install from a user-controlled package or URL, resulting in Remote Code Execution (RCE) on the serv...