38 matches found
Malicious code in hardhat-test-log (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor...
MAL-2026-6312 Malicious code in @tinyfox/shapecheck (npm)
@tinyfox/shapecheck malicious version 0.8.7, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...
Malicious code in ts-webplug (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a120eb8e3f6ca34493b7f282544523ab60137e8388148b191f46cda094e50789 The package impersonates the pino logger README titled 'chai-mocks', badges linking to pinojs/pino, module export named pino while its actual package...
Malicious code in vite-config-field (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...
MAL-2026-5936 Malicious code in vite-config-field (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...
MAL-2026-5605 Malicious code in chai-as-victimed (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b60cf728d4e2f5932f37d3e420649f6facc08959a8380a4724ec9e885b88754 Package name impersonates chai-as-promised but ships a remote-code dropper. lib/caller.js base64-decodes a hardcoded URL pointing to...
Improper Verification of Source of a Communication Channel
Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the single-instance socket process. An attacker can execute arbitrary code by sending a crafted JSON...
GHSA-9MQQ-JQXF-GRVW PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection
Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...
CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection
A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...
CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection
A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...
GHSA-WVR4-3WQ4-GPC5 MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
Summary When AUTHTOKEN and ACCESSTOKEN environment variables are not set which is the default out-of-the-box configuration the /bridge HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the...
Linux Distros Unpatched Vulnerability : CVE-2024-36138
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn /...
Malicious code in oberon-xenos-process-spawn (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e025f47c913177a7992cfaf90cc9e7fb5b31a0018e27e73399b2e5c34a67df0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-124162
Malicious code in oberon-xenos-process-spawn npm...
MAL-2025-145759 Malicious code in oberon-xenos-process-spawn (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e025f47c913177a7992cfaf90cc9e7fb5b31a0018e27e73399b2e5c34a67df0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2016-7716
Malware in sbrugna...
EUVD-2016-7715
Malware in sbrugna...
EUVD-2021-0530
Malware in sbrugna...
EUVD-2019-3855
Malware in sbrugna...
MAL-2025-6829 Malicious code in tensorflowjs (npm)
Package is malicious due to code obfuscation, arbitrary command execution via childprocess.spawn, and suspicious postinstall script. --- -= Per source details. Do not edit below this line.=-...