142110 matches found
ROOT-APP-NPM-CVE-2026-39365 CVE-2026-39365 in @rootio/vite - Patched by Root
Root has patched CVE-2026-39365 in the @rootio/vite package for Root:npm. Multiple fixed versions available...
Malicious code in @marketfront/designsystemdevtool (npm)
The @marketfront/designsystemdevtool package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' [email protected] within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and...
MAL-2026-6777 Malicious code in @marketfront/errorcounter (npm)
The @marketfront/errorcounter package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' [email protected] within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use...
Malicious code in vitest-agent (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e0165cbb3d6ed37a96889c4b016463706346e1c09413635c31ea1ceedde8774 The package's postinstall script node lib/utils/index.js spawns a detached, stdio-suppressed Node child process that runs...
ROOT-APP-NPM-CVE-2026-44979 CVE-2026-44979 in @rootio/hapi__wreck - Patched by Root
Root has patched CVE-2026-44979 in the @rootio/hapiwreck package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-1526 CVE-2026-1526 in @rootio/undici - Patched by Root
Root has patched CVE-2026-1526 in the @rootio/undici package for Root:npm. Multiple fixed versions available...
RHSA-2026:26573 Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Bulletin has no description...
ROOT-APP-NPM-CVE-2025-12816 CVE-2025-12816 in @rootio/node-forge - Patched by Root
Root has patched CVE-2025-12816 in the @rootio/node-forge package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2022-24772 CVE-2022-24772 in @rootio/node-forge - Patched by Root
Root has patched CVE-2022-24772 in the @rootio/node-forge package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-25896 CVE-2026-25896 in @rootio/fast-xml-parser - Patched by Root
Root has patched CVE-2026-25896 in the @rootio/fast-xml-parser package for Root:npm. Multiple fixed versions available...
Malicious code in log-taker1 (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer 2800 lines directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults MetaMask, Phantom, Solflare,...
Malicious code in @digitalpharmacist/http-error-util (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd3874246d23d6027bd09962515c8e79a0246740ff5fc6f853270c0a40271d18 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in cmp-api-stub (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 64a5a4ba35daee6a6a7e344f853e6ab0fc54d4d39f3434bdd3cbc7e7f56aa766 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in authsessionbridge (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c7726c32d14f31a311ae45a86c88fb5c478b8e89d9c71981b7c8ad1da946739 On require, lib/constants.js reached transitively from the package main issues an axios GET to a base64-obfuscated URL at jsonkeeper.com...
Malicious code in auth-state-service (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fc857733e3c372868625f57425574859c653eb8ac16c97171aa9e929de13ca6 On require'auth-state-service', the package loads lib/writer.js, which at top level attempts require'ssr-auth-sync' and on failure shells out via...
Malicious code in lc-chatbot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81ca324fdc9c4ba5536abcd43972f1a506f4af99ace29447b66a17947b1b8606 package.json declares both preinstall and postinstall scripts that run node callback.js, so the callback fires automatically on npm install with no...
MAL-2026-6559 Malicious code in lc-chatbot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81ca324fdc9c4ba5536abcd43972f1a506f4af99ace29447b66a17947b1b8606 package.json declares both preinstall and postinstall scripts that run node callback.js, so the callback fires automatically on npm install with no...
EUVD-2026-39487
pnpm: stage download writes outside its destination directory via manifest name/version traversal...
EUVD-2026-39484
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes...
EUVD-2026-39483
pnpm: Repository-controlled configDependencies can select a pacquet native install engine...