MAL-2026-6312 Malicious code in @tinyfox/shapecheck (npm)

@tinyfox/shapecheck malicious version 0.8.7, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

MAL-2026-5936 Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

MAL-2026-5605 Malicious code in chai-as-victimed (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b60cf728d4e2f5932f37d3e420649f6facc08959a8380a4724ec9e885b88754 Package name impersonates chai-as-promised but ships a remote-code dropper. lib/caller.js base64-decodes a hardcoded URL pointing to...

Improper Verification of Source of a Communication Channel

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the single-instance socket process. An attacker can execute arbitrary code by sending a crafted JSON...

GHSA-9MQQ-JQXF-GRVW PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...

CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...

CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...

GHSA-WVR4-3WQ4-GPC5 MCP Connect has unauthenticated remote OS command execution via /bridge endpoint

Summary When AUTHTOKEN and ACCESSTOKEN environment variables are not set which is the default out-of-the-box configuration the /bridge HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the...

Linux Distros Unpatched Vulnerability : CVE-2024-36138

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn /...

EUVD-2025-124162

Malicious code in oberon-xenos-process-spawn npm...

Malicious code in oberon-xenos-process-spawn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e025f47c913177a7992cfaf90cc9e7fb5b31a0018e27e73399b2e5c34a67df0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-145759 Malicious code in oberon-xenos-process-spawn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e025f47c913177a7992cfaf90cc9e7fb5b31a0018e27e73399b2e5c34a67df0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2021-0530

Malware in sbrugna...

EUVD-2016-7716

Malware in sbrugna...

EUVD-2016-7715

Malware in sbrugna...

EUVD-2019-3855

Malware in sbrugna...

MAL-2025-6829 Malicious code in tensorflowjs (npm)

Package is malicious due to code obfuscation, arbitrary command execution via childprocess.spawn, and suspicious postinstall script. --- -= Per source details. Do not edit below this line.=-...

SUSE-SU-2024:2496-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.20.4: - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass bsc1227560 - CVE-2024-22020: Fixed a bypass of network import restriction via data URL bsc1227554 Changes in 18.20.3: - This release fixes a regression introduced in Node.js...

Improper Control of Generation of Code ('Code Injection')

Overview Affected versions of this package are vulnerable to Improper Control of Generation of Code 'Code Injection'. This is due to a bypass of CVE-2024-27980. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. Note...