GHSA-GV7W-RQVM-QJHR Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Withdrawn Advisory This advisory has been withdrawn because the affected package was incorrectly identified and the actual affected package is not in a supported ecosystem. This link is maintained to preserve external references. Original Description Summary The esbuild Deno module lib/deno/mod.t...

Malicious code in janus-erc20 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 728f3d5af5a999be016a49283fff2c5cedc0c5df445d2f078f1f9817dde22334 On npm install, postinstall.js harvests installer secrets and POSTs them to 193.203.169.109:8443/c/janus-erc20 over HTTPS with TLS verification...

CVE-2026-35641

OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can...

Malicious Package

Overview transform-json-strings is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior T...

Malicious Package

Overview transform-proto-to-assign is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavio...

Malicious Package

Overview transform-es2015-spread is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

Malicious Package

Overview jam3 is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The package uses...

Malicious Package

Overview reuse-plugin is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The package...

GHSA-J425-WHC4-4JGC OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots

Summary system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading...

Command Injection

Overview @pnpm/npm-conf is a Get the npm config Affected versions of this package are vulnerable to Command Injection via environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker can execute arbitrary code by controlling environment variables during...

pnpm 代码注入漏洞

pnpm is a package manager for pnpm open source. A code injection vulnerability exists in pnpm versions 6.25.0 through 10.26.2, which stems from command injection when using environment variable substitution in the .npmrc configuration file, and could lead to remote code execution...

CVE-2023-40340

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in the Npm config file in Pipeline build logs...