136 matches found
MAL-2026-5909 Malicious code in react-hook-use-debounce-throttle-12 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af package.json declares a postinstall hook that runs node -e to issue an HTTPS request to the bare IP 8.140.205.78 on port 80 with all errors silently...
Malicious code in react-hook-use-debounce-throttle-12 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af package.json declares a postinstall hook that runs node -e to issue an HTTPS request to the bare IP 8.140.205.78 on port 80 with all errors silently...
Malicious code in @achuthvp/postinstall-poc (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9 package.json declares scripts.postinstall = node postinstall.js. On every npm install, postinstall.js runs execSync'id' and POSTs a JSON body...
PT-2026-48379
Name of the Vulnerable Software and Affected Versions yt-dlp versions prior to 2026.06.09 Description A flaw allows a remote attacker to write arbitrary OS-shortcut files, such as .desktop, .url, and .webloc, to the user's filesystem. This occurs because the file extension allowlist used to preve...
PT-2026-48378
Name of the Vulnerable Software and Affected Versions yt-dlp versions 2023.09.24 through 2026.06.08 Description When curl is used as an external downloader, cookies may be leaked to an unintended host during an HTTP redirect or when the host for download fragments differs from the parent manifest...
Malicious code in mcp-server-git (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed package.json declares postinstall: node index.js. On every npm install, index.js lines 14-29 reads os.hostname, process.cwd, os.platform, the npm...
MAL-2026-5478 Malicious code in mcp-server-git (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed package.json declares postinstall: node index.js. On every npm install, index.js lines 14-29 reads os.hostname, process.cwd, os.platform, the npm...
Malicious code in mcp-server-redis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c94a122c1dd231888bc72b52cbef5dbdd793d2680f7e7e36385bd06e07dc20fd Package claims the unscoped name mcp-server-redis to intercept npx mcp-server-redis invocations intended for the legitimate MCP Redis server ecosyste...
Malicious code in t-invest-mcp-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419 Package is a dependency-confusion squat: package.json sets version 9999.99.99 the canonical max-version trick used to win resolution against any...
MAL-2026-5403 Malicious code in t-invest-mcp-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419 Package is a dependency-confusion squat: package.json sets version 9999.99.99 the canonical max-version trick used to win resolution against any...
CVE-2026-10796
nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...
HAXCMS 安全漏洞
HAXCMS is an open-source content management system developed by HAX The Web. Versions of HAX CMS prior to Node.js 26.0.0 contained security vulnerabilities. These vulnerabilities stemmed from two encryption implementation errors in the hmacBase64 function. This could allow unauthenticated attacke...
CVE-2026-10796
nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...
CVE-2026-10796
Vulnerability summary (CVE-2026-10796) : nvm (Node Version Manager)
CVE-2026-10796 nvm executes commands from a malicious Node.js mirror's version strings
nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...
CVE-2026-10796 nvm executes commands from a malicious Node.js mirror's version strings
nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...
EUVD-2026-34303
nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...
CVE-2026-10796
nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...
Node Version Manager 安全漏洞
Node Version Manager is an open-source node version manager developed by nvm.sh. Versions of Node Version Manager prior to 0.40.4 contain security vulnerabilities. These vulnerabilities stem from the ability to execute arbitrary commands from the configured image version string. The functions...
PT-2026-46295
Name of the Vulnerable Software and Affected Versions nvm versions prior to 0.40.5 Description Command injection occurs when the software executes arbitrary commands from version strings provided by a configured Node.js/io.js mirror. When commands like nvm install read available versions from the...