107 matches found
CVE-2026-42035
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...
CVE-2026-42033 Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the...
GHSA-8QM3-746X-R74R devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed
Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data...
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed
Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data...
Malicious code in meteor-spectron-webdriver-ignite-spawn (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7825fb698098acfc9237bd9d71a9037ffc59b30a8a2d44a9f74468e7506bfceb This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in electron-pm2-toml-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f39fb8a9d75395b1785a187dc32fd7123d42ea214d0d3cd4f9526ff421b0a685 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188173 Malicious code in nashira-winston-aurora-gatsby (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9af5c52e6cf6987260607279112d0d054adf72f69bd5cad9cc62fec8cf109c67 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in rigel-photon-interferometry-yaml (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80fdd06f2759d7a5c81facbdff2a653399e9620cc9ef3b395398eac4ca83714f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188485 Malicious code in oscillation-oscillation-accretion-comet (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5aabcc23741bcf27357094729678d0020795b582d6ff8e15a2a87d1131c48525 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187149 Malicious code in genomics-run-script-auth-neptune (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 27853c93677fec2a5030fe143a9a6b4d812b32a1ed874a06ed9ea9f4580b5743 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in heka-buffer-install-transform (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8d173a46b2222709ebde51168c15d95d657b1e4e9bdebe6edb1073438c8838fd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in proxy-interface-visualize-thread-psi (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ddea4dbb6eff0705e7dafca9a928b20e3f7c53e53533c9ce697d23afba2267d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in gocay-gua-visgojfahi (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d492603c4c3c9ded6c5ede7fdb31e617b772433e8f1713acc474c254d7badb7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in avang-oliutka-tabar (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2031e817f01ebe858ff7ff64bee3bffd895539616b54b4819e7fa71d8c05aab7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in polymer-arash-millio (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f838470e7c6e82a8b18dc6854bab4416b79a81276510daa30309062538d145a8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-173761 Malicious code in butry-mutyu-wer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37546b56a6e767f2df39fe3cf3b1de9a648e178c2dc0523c6a09810a737237f5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-170808 Malicious code in ameenzaid (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e87a056ab681f51e44a4c61d78ead21a1ca8c9c28f87d0c747e375b7249cda6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-171585 Malicious code in milkywaymentor (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79fc1c210f105ed1b9167aa6fe8292a0319f2309fb4264021175404fa452bf6e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in hariyono-93 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be68d408a361613411455fa92bea3fa908314162ccd52a1a24183f1e13e1a0ee This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in rino-poke21 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07efbad554bbee7cb8966118c993a5b20a073613f42488b60631a32f2d7c79e1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...