Lucene search
K

64 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago6 views

Malicious code in theta-sdk-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6967c021e95228b33b18be4489fea5d404720cbd21beb53dac8bf7ea4f4d54d1 [email protected] ships src/decrypt.js and src/providers/BaseProvider.js which together implement a hidden execution channel. On module load,...

6.2AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago7 views

Malicious code in eth-react-redirection (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cbd414dae34760c2eda09d2093a62a14d694f759350676e88229319a16594e78 On require, index.js calls callCallerAsOrigin which spawns lib/caller.js as a detached, stdio-ignored child process spawnprocess.execPath, script,...

6.2AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago7 views

Malicious code in chai-defender (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14f276305fd5e43b60bbfd1048d8792ef7f72734c28cfe533d368c0fc199a0fe On require'chai-defender', index.js invokes launchDeflectBootstrap which spawns a detached background node process running lib/caller.js. That proces...

6.5AI score
Exploits0References7
NVD
NVD
added 6 days ago10 views

CVE-2026-59892

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...

7.5CVSS0.00436EPSS
Exploits0References3
OSV
OSV
added 2026/07/03 5:23 p.m.4 views

CVE-2026-14631 webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS6.1AI score0.00308EPSS
Exploits0References4
OSV
OSV
added 2026/07/01 8:48 p.m.4 views

MAL-2026-6715 Malicious code in svgcraft-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3863ea8f67c7365031b5ffb43aaa2721062669b49be8157e1dd32ce19dce511f src/index.cjs exports getPlugin, which returns a function that performs an HTTPS GET to a hardcoded URL 'https://api.avax-test.dev/ext/bc/C/rpc' with...

6.4AI score
Exploits0References6
OSV
OSV
added 2026/06/22 10:57 p.m.5 views

GHSA-9M6G-WC8R-Q59C scimPatch vulnerable to prototype pollution via unfiltered keys in patch

Summary scim-patch performs prototype pollution when applying a SCIM PATCH operation whose value object contains a key like "proto.someProp". After one such patch, Object.prototype.someProp is set process-wide, affecting every plain object in the Node process. Any service that calls scimPatch on...

9.1CVSS5.8AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/18 10:29 p.m.12 views

Malicious code in db-connector-log (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0b028ed25796b267dc7df004e294b917a05c2e5fdd76e2540530b8c179843c6 [email protected] impersonates the legitimate dx-db-connector package divbloxjs; package.json's repository/homepage point at the divbloxjs proje...

6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-50155

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description Environment access is managed by the env permission, which can be restricted via --deny-env or an allowlist using --allow-env=FOO,BAR. The process.loadEnvFile function, a Node-compatible API for loading...

5.2CVSS5.8AI score0.00098EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/12 8:59 p.m.35 views

CVE-2026-53609 Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, apos.util.set traverses dot-notation paths without sanitizing proto, allowing an authenticated editor to write arbitrary values to Object.prototype via the $pullAll patch operator. A confirm...

9.1CVSS0.00237EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/12 7:7 p.m.21 views

Malicious code in theta-connector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...

6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.22 views

PT-2026-49006

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.30.1 Description A prototype pollution issue exists in the apos.util.set function, which traverses dot-notation paths without sanitizing the proto property. This allows an authenticated editor to write arbitra...

9.1CVSS5.4AI score0.00237EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/28 12:0 a.m.16 views

Malicious code in @cloudplatform-single-spa/profile (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/28 12:0 a.m.10 views

MAL-2026-4963 Malicious code in @cloudplatform-single-spa/redirect (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/28 12:0 a.m.73 views

Malicious code in @cloudplatform-single-spa/monaas-ui (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/28 12:0 a.m.15 views

Malicious code in @fb-deposit/form-deposit-auth (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/28 12:0 a.m.11 views

MAL-2026-5022 Malicious code in @mlspace/inference-deploy (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/28 12:0 a.m.9 views

MAL-2026-4941 Malicious code in @cloudplatform-single-spa/ml-finetuning (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 7:5 p.m.12 views

Malicious code in clsx-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...

6.2AI score
Exploits0References4
OSV
OSV
added 2026/05/19 7:5 p.m.13 views

MAL-2026-4531 Malicious code in clsx-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...

6.2AI score
Exploits0References4
Rows per page
Query Builder