`exploration` was removed from crates.io for malicious code

A method within the exploration crate attempted to download and execute a payload from a remote site. The malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io. Thanks to Kirill...

CVE-2026-27416

Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Poster: from n/a through 2.4.1...

GHSA-G38R-8GMR-GHRF `mysten-metrics` was removed from crates.io for malicious code

mysten-metrics included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

`sui-execution-cut` was removed from crates.io for malicious code

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

PT-2026-37360

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

RUSTSEC-2026-0108 `sui-execution-cut` was removed from crates.io for malicious code

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by 3ele / Sebastian Weiss in WordPress Plugin FunnelFormsPro versions = 3.8.1...

MAL-2026-2524 Malicious code in a2a-chat-canvas (npm)

Malicious package due to suspicious callback URL, hostname exfiltration, preinstall script execution, and only one published version. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d466a45c588940f8279288c439a4665d5368f0a7642c966de8e9fd307bc028b3 The package...

MAL-2026-1387 Malicious code in tahoe-tap (npm)

Malicious package detected. Executes code during installation via preinstall script in package.json and has only one version published. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector deec4b3e879632ae9819b52e88ae689725b1af688aecd541e498d2bac084f848 The package...

`chrono_anchor` was removed from crates.io due to malicious code

The chronoanchor crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. The malicious crate had 1 version published on 2026-03-04 approximately 6 days before removal and had no evidence of actual downloads. There were no crates...

GHSA-MH23-RW7F-V5PQ `time-sync` was removed from crates.io due to malicious code

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...

`time-sync` was removed from crates.io due to malicious code

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...

GHSA-77XJ-RRH3-WX3V `time_calibrator` was removed from crates.io due to malicious code

It was reported timecalibrator contained malicious code, that would try to upload .env files to a server. The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates...

`time-sync` was removed from crates.io due to malicious code

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...

WordPress Contact Manager plugin <= 9.1.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Skalucy in WordPress Plugin Contact Manager versions = 9.1.1...

PT-2026-3245

Name of the Vulnerable Software and Affected Versions ABB Ability OPTIMAX versions 6.1, 6.2, 6.3.0 through 6.3.1-251120, and 6.4.0 before 6.4.1-251120 Description An incorrect implementation of the authentication algorithm exists in ABB Ability OPTIMAX. This allows for a potential authentication...

Security Bulletin: Security vulnerabilities in Java SE shipped with IBM CICS TX Standard (CVE-2025-53066 and CVE-2025-53057)

Summary There are multiple vulnerabilities in the Java SE version shipped with IBM CICS TX Standard CVE-2025-53066 and CVE-2025-53057. An update to IBM CICS TX Standard has been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified...

CVE-2025-65010 Missing authorizations for admin panel password change in WODESYS WD-R608U router

WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has...

TeamViewer DEX Client 安全漏洞

TeamViewer DEX Client is a digital employee experience and endpoint management software from TeamViewer Germany. A security vulnerability exists in versions prior to TeamViewer DEX Client V21 that stems from improper input validation and could lead to remote execution of arbitrary commands...

RUSTSEC-2025-0152 `finch_cli_rust` was removed from crates.io for malicious code

This attempts to typosquat the existing crate finchcli to steal credentials from local files. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 18 times. There were no crates depending on this crate on crates.io. Thanks to Matthias Zepper of NGI Sweden for reportin...