PT-2026-28319

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x Description A flaw exists in the Node.js Permission Model's filesystem enforcement, specifically leaving the fs.realpathSync.native function without the necessary read permission checks. Comparable filesystem...

Unity Linux 20.1070e Security Update: nodejs (UTSA-2025-993344)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993344 advisory. A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by...

Security Bulletin: Multiple open source vulnerabilities affect IBM Db2 Big SQL on Cloud Pak for Data

Summary Multiple open source vulnerabilities affect IBM Db2 Big SQL 7 on Cloud Pak for Data 5 Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header...

Security Bulletin: Vulnerabilities in Eran Hammer cryptiles, PostCSS,Node.js,node-notifier,es5-ext ,MySQL Connectors,json-path and tough-cookie might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Eran Hammer cryptiles, PostCSS,Node.js,node-notifier,es5-ext ,MySQL Connectors,json-path and tough-cookier. Vulnerabilities include an attacker is able to brute force something that was supposed to be random, ...

Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`

Impact In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be added as trace span attributes. When sendDefaultPii: true was set, a few headers that were previously redacted - including Authorization and Cookie - were...

EUVD-2025-180214

AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance...

EUVD-2025-179630

Malicious code in commitlint-config-angular-nodejs-carpo-vortex npm...

EUVD-2025-122700

Malicious code in release-it-eslint-nodejs-titan npm...

MAL-2025-149653 Malicious code in xenon-nodejs-tethys-husky (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3f998b73247e2553cb330b9d4d12e6bb5b72e648412770d6e7174d29c01c3dec This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-112992

Malicious code in gulp-nodejs-bellatrix-process npm...

MAL-2025-147504 Malicious code in rollup-nightmare-nodejs-terser-webpack-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 013d8c46a1af7deb1ec86ef06930fca85b4c0bc9fa04823847913c05b0e6d62f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-121975

Malicious code in sirius-fork-nodejs-bellatrix npm...

EUVD-2025-120870

Malicious code in ursa-juno-nodejs-exec npm...

Malicious code in nodejs-grus-gacrux-auriga (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 992d9509225ff4662c83cd02c736feeaf3c3c0e546718d9dc8aa3474d3e661c0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-75204

Malicious code in worriedcod-gooddev npm...

EUVD-2025-62316

Malicious code in regionalfireflyz3n npm...

EUVD-2025-37867

Malicious code in bcryptjs-node-js npm...

Malicious code in bcryptjs-node-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60f621b58cc468b09e5963a64bef46446818cfa742ca51366a9e256bdb6299b8 The package bcryptjs-node-js was found to contain malicious code. Source: ghsa-malware 3b410282355b8584d4b9c012154aed901dfd650f212d1a2a942d901ae693f3...

MAL-2025-49358 Malicious code in bcryptjs-node-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60f621b58cc468b09e5963a64bef46446818cfa742ca51366a9e256bdb6299b8 The package bcryptjs-node-js was found to contain malicious code. Source: ghsa-malware 3b410282355b8584d4b9c012154aed901dfd650f212d1a2a942d901ae693f3...

Malicious Package

Overview node-js-playwright-browserstack is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...