Malicious code in nodejs-grus-gacrux-auriga (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 992d9509225ff4662c83cd02c736feeaf3c3c0e546718d9dc8aa3474d3e661c0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-121975

Malicious code in sirius-fork-nodejs-bellatrix npm...

MAL-2025-149653 Malicious code in xenon-nodejs-tethys-husky (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3f998b73247e2553cb330b9d4d12e6bb5b72e648412770d6e7174d29c01c3dec This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-147504 Malicious code in rollup-nightmare-nodejs-terser-webpack-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 013d8c46a1af7deb1ec86ef06930fca85b4c0bc9fa04823847913c05b0e6d62f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-75204

Malicious code in worriedcod-gooddev npm...

EUVD-2025-62316

Malicious code in regionalfireflyz3n npm...

Malicious code in bcryptjs-node-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60f621b58cc468b09e5963a64bef46446818cfa742ca51366a9e256bdb6299b8 The package bcryptjs-node-js was found to contain malicious code. Source: ghsa-malware 3b410282355b8584d4b9c012154aed901dfd650f212d1a2a942d901ae693f3...

EUVD-2025-37867

Malicious code in bcryptjs-node-js npm...

MAL-2025-49358 Malicious code in bcryptjs-node-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60f621b58cc468b09e5963a64bef46446818cfa742ca51366a9e256bdb6299b8 The package bcryptjs-node-js was found to contain malicious code. Source: ghsa-malware 3b410282355b8584d4b9c012154aed901dfd650f212d1a2a942d901ae693f3...

Malicious Package

Overview node-js-playwright-browserstack is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...

Microsoft Playwright Node.js Package < 1.55.1 Spoofing (CVE-2025-59288)

The version of the Microsoft Playwright Node.js Package installed on the remote host is prior to 1.55.1. It is, therefore, affected by a spoofing vulnerability: - Improper verification of cryptographic signature in GitHub allows an unauthorized attacker to perform spoofing over an adjacent networ...

EUVD-2025-20869

Malicious code in bioql PyPI...

@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. Patches The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') due to Node.js ( CVE-2025-27210 )

Summary IBM App Connect Enterprise is vulnerable to Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' due to Node.js . Vulnerability Details CVEID:CVE-2025-27210 DESCRIPTION: An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting...

PT-2025-39317

Name of the Vulnerable Software and Affected Versions messageformat versions prior to 3.0.1 Description The Runtime components of the messageformat package for Node.js are susceptible to a prototype pollution issue. Insufficient validation of nested message keys during message data processing...

CVE-2025-57353

The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service [CVE-2025-5889]

Summary Node.js module brace-expansion is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js module...

CVE-2025-59364

The CVE concerns the express-xss-sanitizer package for Node.js, where the sanitize function in lib/sanitize.js can recurse without depth limit when handling JSON request bodies, potentially enabling denial of service through stack exhaustion. Affected versions include up to 2.0.0; advisories indi...

CVE-2025-59046

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Versions up to and...

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

...