Malicious Package

Overview cline is a malicious package. NPM publishing token for this package was compromised and useb by an unauthorized party to publish version 2.3.0 containing a modified package.json with an added postinstall script "postinstall": "npm install -g openclaw@latest". This causes openclaw an...

EUVD-2025-90449

Malicious code in lina-bubur41-miaww npm...

EUVD-2025-89137

Malicious code in riana-taiwan29-miaww npm...

EUVD-2025-50963

Malicious code in xerothermic-coffee-gorilla npm...

MAL-2025-49318 Malicious code in stark-recurser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54520ff73a8cd962cb9ab3db426b6c93987e6b616edf752e0e5f6f346293af1b The package stark-recurser was found to contain malicious code. Source: ossf-package-analysis...

MAL-2025-48555 Malicious code in user_oidc (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis e28e6e5435f54199a3dca6186e1ad2d2846226bcf0a6792ff09d40b6215ed7af The OpenSSF Package Analysis project identified 'useroidc' @ 8.0.2 np...

Malicious code in @zalastax/nolb-o6 (npm)

The package @zalastax/nolb-o6 was found to contain malicious code...

Canonical Juju utils 安全漏洞

Canonical Juju utils is an open source package from Canonical Juju. A security vulnerability exists in Canonical Juju utils, which stems from the fact that private information may be included in the certificate generation process, which could lead to private key disclosure...

Malicious code in kupo-app-secure-store-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d04ed47c7e296896a93ec11ccbe851b0a3d33f3afe06d2aaba32be6263363a33 The OpenSSF Package Analysis project identified 'kupo-app-secure-store-plugin' @ 99.0.0 npm as malicious. It is considered malicious because: -...

Security Bulletin: IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks in Apache Mina SSHD Common (CVE-2023-48795)

Summary IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks CVE-2023-48795 found in Apache Mina SSHD Common. Apache Mina SSHD Common is used by the Open Source Package Manager feature of IBM i Access Client Solutions when authenticating to the IBM i server...

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

Cybersecurity researchers have discovered two malicious packages on the Python Package Index PyPI repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code. The packages, named NP6HelperHttptest and NP6HelperHttpe...

CVE-2023-51449

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of gradio prior to 4.11.0 contained a vulnerability in the /file route which made them susceptible to file traversal...

New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries

In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine...

Config Handler 安全漏洞

Config Handler is an open source package. It is used for loading configurations, deep merging packages, global, and environments. Config Handler has a security vulnerability that stems from the fact that all versions of the package configuration handler are susceptible to prototype contamination...

opensysusers 代码注入漏洞

opensysusers is an open source package. It is an alternative implementation of systemd-sysusers that can be run on systems with or without systemd installed. A code injection vulnerability exists in versions of opensysusers prior to 0.6, which poses a security risk primarily due to the use of...

shescape command injection vulnerability

shescape is open source a simple shell escaping program package for JavaScript . Use it to escape user-controlled input to shell commands to prevent shell injection . A command injection vulnerability exists in versions of shescape prior to 1.1.3, which can be exploited by an attacker to insert a...

UBUNTU-CVE-2017-8394

The Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of bfdelflargecomsection. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library,...