Malicious code in sjs-lint-build1 (npm)

sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2...

Malicious code in abiuba-avimun-abatipua (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b7e381488e22cd67f38f1c88da6093ad93d87e47b65df5b2bd94a8988785ff06 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2022-48518

CVE-2022-48518 concerns Huawei HarmonyOS’ iaware startup trustlist. The connected records describe a vulnerability where the signature verification service is initialized later than system broadcasts, allowing manipulation that could cause malicious apps to start at power-on by spoofing package n...

ASB-A-215003903

In shouldAllowFgsWhileInUsePermissionLocked of ActiveServices.java, there is a possible way to start foreground service from background due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed...

Malicious Package

Overview typescript-snap is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package w...

CVE-2016-1494

The verify function in the RSA package for Python Python-RSA before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack...

unattended-upgrades man-in-the-middle

Under some conditions package spoofing is possible...