150 matches found
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
@budibase/server (>=3.32.1 <=3.38.1), @builders-of-stuff/svelte-sui-wallet-adapter (>=0.6.6 <=2.1.0) +65 more potentially affected by CVE-2026-42573 via svelte (>=5.0.0-next.1 <=5.55.5)
svelte NPM version =5.0.0-next.1, =3.32.1, =0.6.6, =4.0.0-alpha.1, =4.0.0-alpha.1, =0.1.0, =0.0.1, =1.3.0, =0.1.4, =0.0.20, =0.15.0, =1.1.0-beta.0, =5.0.0-next.80, =5.0.0-test.1 and more Source cves: CVE-2026-42573 Source advisory: SNYK:JS-SVELTE-16697541...
GHSA-4GC7-QCVF-38WG In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
Summary This issue applies to a non-default configuration only. If sort is manually added to tools.exec.safeBins, OpenClaw could treat sort --compress-program= as valid safe-bin usage. In security=allowlist + ask=on-miss, this could satisfy allowlist checks and skip operator approval, while GNU...
MAL-2025-191132 Malicious code in nitro-kutu (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c730e64b459919c937231de7e767a99ceca04f35011b70d3d95c5616092dead The package nitro-kutu was found to contain malicious code. Source: ghsa-malware e49eaa55b0b2cddde2728a2d6cfcc512771af0fa1cf78903a09e11d7b564d972 Any...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...
Malicious code in metalsmith-postcss-loader-magellan-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 69fe8b0cbdd771e61ac7089387c9ddf8f95515c70c04cab19da6ce8437c56206 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in shell-omicron-dog-bash-simple (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9773541d5d024eb6ba320252005f48715f06580b91dc6b9da8e16df177b7266 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in kastra-oberon-spectroscopy-mocha (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2e7279e1ca549eb0a3e63cb167e9feb16a51f1dedbbf158bf38ddbc2b169e23 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in phi-void-long-reject-import (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0575ba7190f457149e600c3f495b41bf3da1f88c362f42da78e7ded6e0d2b470 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-189044 Malicious code in quick-info-star-new-import (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ff8d2af4a7471f80995ba4591bc1d021217434d34977fb94879b5ed115d965a3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in imugiay-avg-daigajuj (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 60f8d9bf88172011d98730eecc58b4fda1a51688622ca3edaffe2b4b62d5472b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in manu-oyi-gigimsof (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39cfae4fd70ba14e37c26847a3e7ced620dfde85ec4c07b93c808dc0cd9271cc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in mahnu-nofity-gami (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae35ef0cdb412e48c5e641978ab4e67693914eee7f5d0c188f13b5ed87ad040f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...