Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks

A flaw was found in Node.js. The Node.js Permission Model, designed to restrict network access, incorrectly omits permission checks for Unix Domain Socket UDS server operations. This allows local code, even when explicitly denied network access, to create and expose inter-process communication IP...

nodejs: Nodejs denial of service

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

ytDownloader 代码注入漏洞

ytDownloader is a multi-platform audio and video download tool developed by Andrew. Versions of ytDownloader 3.20.2 and earlier had a code injection vulnerability, which stemmed from a cross-site scripting attack involving the function createTextNode in the Error Details Panel component...

PT-2026-32329

Stored Cross-Site Scripting XSS via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1578)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1578 advisory. A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs,...

Oracle Linux 8 : nodejs:24 (ELSA-2026-7670)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7670 advisory. nodejs 1:24.14.1-2 - Update bundled nghttp2 to 1.68.1 Related: RHEL-151374 1:24.14.1-1 - Update to 24.14.0 Resolves: RHEL-151374 nodejs-nodemon 3.0.3-1...

Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici:...

Malicious code in bitu-staking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector adb12160da2b84d2f9c21c6d5f3a2d803e574fcf593e9d84da3b5e8cbbdef96e The package bitu-staking was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in pt-sc-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 925a5c001d049ecefbe72bc5ba4090904c882bf13b6f97493387fe3ed04a661f The package pt-sc-logger was found to contain malicious code. Source: ghsa-malware deaf63bd8a081fcc49f46fdb9b4300abef500b33eba7034bbd8de142a60db3cd A...

MAL-2026-2613 Malicious code in upstart-offer-container (npm)

Package collects sensitive data SSH keys, AWS creds, env vars, exfiltrates it to a remote server, and executes shell commands. MALWARE! --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 148e48dd7b06a250063027a17895962000ca784a3fe52b704bea049afc85763a The package...

MAL-2026-2620 Malicious code in upstartportal (npm)

Collects system info, reads sensitive files, and exfiltrates data to a suspicious host. Multiple YARA matches confirm malicious intent. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 932dee0dcf84fc1044efb1ec35950d6102fcbb5122f26cca5e2b1f13eb599729 The package...

Malicious code in upstartportal (npm)

Collects system info, reads sensitive files, and exfiltrates data to a suspicious host. Multiple YARA matches confirm malicious intent. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 932dee0dcf84fc1044efb1ec35950d6102fcbb5122f26cca5e2b1f13eb599729 The package...

Malicious code in upstartadmindashboard- (npm)

The package is a malware. It exfiltrates system info to a hardcoded domain, collects sensitive data, and executes suspicious commands. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0760e39fa3fc4d272de9fb78decddc3a25ae673efe12e9bff4e8d9f28ee5c55 The package...

MAL-2026-2619 Malicious code in upstartloans (npm)

Collects and exfiltrates sensitive data credentials, keys, history to p1s.uk with disabled SSL validation. Suspicious postinstall script. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a1d5c610e0cc5ec6be53b8d0d986d5ddef30937d04c977998db4c2d4b0be908 The package...

Malicious code in upstartloans (npm)

Collects and exfiltrates sensitive data credentials, keys, history to p1s.uk with disabled SSL validation. Suspicious postinstall script. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a1d5c610e0cc5ec6be53b8d0d986d5ddef30937d04c977998db4c2d4b0be908 The package...

MAL-2026-2611 Malicious code in upstart-lending-status (npm)

Package is malware. It steals credentials, collects system info, and exfiltrates data to a remote server via postinstall script. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 627a2802a53ad7eb751fcac4b0a43245c6b0bf9e667db77051758b24d8bc4d96 The package...

Malicious code in upstartapplicationstatus (npm)

Package is malware. Collects and exfiltrates sensitive info SSH keys, credentials, env vars via insecure HTTPS/HTTP after install. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e154270d6b3540f095f5fc77ab1167448e967009cbb719f6fc087c32fadce15f The package...

MAL-2026-2616 Malicious code in upstartapplicationstatus (npm)

Package is malware. Collects and exfiltrates sensitive info SSH keys, credentials, env vars via insecure HTTPS/HTTP after install. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e154270d6b3540f095f5fc77ab1167448e967009cbb719f6fc087c32fadce15f The package...

MAL-2026-2614 Malicious code in upstart.previewcss (npm)

Package is malware. It collects and exfiltrates sensitive data SSH keys, credentials, environment variables and system info to a remote server. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd2d5c329f24c54ca68ce21884867d6b4db6ae64d0e2041af60deb2203cc8830 The...

MAL-2026-2654 Malicious code in pinstatsd (npm)

Package is malware due to data exfiltration to multiple domains via DNS and HTTPS, along with a suspicious preinstall script. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b13ae52dde0a4efddd6d12bc4795b77da5433cb750b4ddb852f1aca27ea457e The package pinstatsd w...