600 matches found
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
EEF-CVE-2026-23940 Denial of Service via Oversized Package Upload
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of...
EUVD-2026-12050
Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of...
CVE-2026-21621
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
CVE-2026-21621
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
PT-2026-23497
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
EUVD-2026-5040
In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pullrequesttarget trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to...
Malicious code in development-playwright-stratosphere-parcel (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71e0ceb6921987d11128b3d9468cfe3777ed868bbcb9f3c382500437fb7f12f8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in eslint-plugin-gacrux-wolf-ariel (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65c4c2c488bc3934c41186d1bf456e7754924dbf514664faccb83c81e00532a1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in jovian-sass-loader-native-cassini (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 225deea9531693f6cbd7d6edd3656452b2959b26fd0b8a748ec2e08d0dbcbb98 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in radioastronomy-photon-eslint-apollo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a645989f783782e13048984e4e9fbd513842be85a2bee02ecbb304166d33afd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188327 Malicious code in nodejs-oberon-ignite-node-sass (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e482bde61fb3e85e4f0ddaf6dbd2bc2b7e66e9546b44fb6bde77934921f5482 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in webdriver-manager-stratosphere-stratigraphy-stop (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0934643185b5cbcc16307cc870692bbaf0a0c6ef0085d73916acdc478aa082fa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188129 Malicious code in morgan-sass-loader-release-it-quark (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c153eb6fd6cc614dab9d8fd43c3d5a0e5258e9ae6ddd573ad103e2a78cdf4f3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in unuk-uglify-js-astrochemistry-comet (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f57906ac6a4735bb92280c00660dfe0fcb082121021fc0d695fd942e50c6163c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in mechatronics-borealis-tardigrade-init (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e651931a0daf2cef9a1b2da12b3ea1df680bbe83487eb4a9897a63c3722a27ef This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in tool-dotenv-parse-variables-gravitationalwave-luna (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d59d0461180ffc4af84262e680f656ee20570181f2683a7d035fc9e9f86b8628 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in planetology-stratosphere-library-csrf (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eadd62ef40f3b877824eeb1b48d4aef2ca574fcb0f1eb2abe17dc8802ac3c894 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...