Lucene search
+L

38 matches found

ossf
ossf
added 2026/06/24 4:13 a.m.9 views

Malicious code in hardhat-test-log (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor...

6.4AI score
Exploits0References4
osv
osv
added 2026/06/22 12:0 p.m.18 views

MAL-2026-6312 Malicious code in @tinyfox/shapecheck (npm)

@tinyfox/shapecheck malicious version 0.8.7, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

5.9AI score
Exploits0References7
ossf
ossf
added 2026/06/17 4:23 a.m.8 views

Malicious code in ts-webplug (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a120eb8e3f6ca34493b7f282544523ab60137e8388148b191f46cda094e50789 The package impersonates the pino logger README titled 'chai-mocks', badges linking to pinojs/pino, module export named pino while its actual package...

6AI score
Exploits0References5
ossf
ossf
added 2026/06/16 10:20 p.m.10 views

Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

6.5AI score
Exploits0References7
osv
osv
added 2026/06/16 10:20 p.m.10 views

MAL-2026-5936 Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

6.5AI score
Exploits0References7
osv
osv
added 2026/06/11 7:19 a.m.17 views

MAL-2026-5605 Malicious code in chai-as-victimed (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b60cf728d4e2f5932f37d3e420649f6facc08959a8380a4724ec9e885b88754 Package name impersonates chai-as-promised but ships a remote-code dropper. lib/caller.js base64-decodes a hardcoded URL pointing to...

6.5AI score
Exploits0References1
snyk
snyk
added 2026/05/14 8:29 p.m.16 views

Improper Verification of Source of a Communication Channel

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the single-instance socket process. An attacker can execute arbitrary code by sending a crafted JSON...

9.3CVSS6.2AI score0.00114EPSS
Exploits0References4
osv
osv
added 2026/05/11 1:58 p.m.7 views

GHSA-9MQQ-JQXF-GRVW PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...

9.6CVSS6.3AI score0.00619EPSS
Exploits1References3
vulnrichment
vulnrichment
added 2026/05/04 4:0 a.m.4 views

CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...

6.5CVSS6.4AI score0.01089EPSS
Exploits0References6
cvelist
cvelist
added 2026/05/04 4:0 a.m.40 views

CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection

A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function childprocess.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit...

6.5CVSS0.01089EPSS
Exploits0References6
osv
osv
added 2026/03/19 12:51 p.m.5 views

GHSA-WVR4-3WQ4-GPC5 MCP Connect has unauthenticated remote OS command execution via /bridge endpoint

Summary When AUTHTOKEN and ACCESSTOKEN environment variables are not set which is the default out-of-the-box configuration the /bridge HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the...

9.8CVSS6.7AI score
Exploits0References2
nessus
nessus
added 2026/03/04 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2024-36138

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childprocess.spawn /...

8.1CVSS7.7AI score0.01411EPSS
Exploits0References2
ossf
ossf
added 2025/11/12 4:29 a.m.9 views

Malicious code in oberon-xenos-process-spawn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e025f47c913177a7992cfaf90cc9e7fb5b31a0018e27e73399b2e5c34a67df0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
euvd
euvd
added 2025/11/12 4:29 a.m.8 views

EUVD-2025-124162

Malicious code in oberon-xenos-process-spawn npm...

6.6AI score
Exploits0
osv
osv
added 2025/11/12 4:29 a.m.4 views

MAL-2025-145759 Malicious code in oberon-xenos-process-spawn (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e025f47c913177a7992cfaf90cc9e7fb5b31a0018e27e73399b2e5c34a67df0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2016-7716

Malware in sbrugna...

7.5CVSS8.5AI score0.0175EPSS
Exploits0References3
euvd
euvd
added 2025/10/07 12:30 a.m.10 views

EUVD-2016-7715

Malware in sbrugna...

9.8CVSS9.2AI score0.02148EPSS
Exploits0References3
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2021-0530

Malware in sbrugna...

8.6CVSS8.6AI score0.01702EPSS
Exploits1References5
euvd
euvd
added 2025/10/07 12:30 a.m.7 views

EUVD-2019-3855

Malware in sbrugna...

8.1CVSS7.9AI score0.0187EPSS
Exploits1References8
osv
osv
added 2025/08/12 5:9 p.m.3 views

MAL-2025-6829 Malicious code in tensorflowjs (npm)

Package is malicious due to code obfuscation, arbitrary command execution via childprocess.spawn, and suspicious postinstall script. --- -= Per source details. Do not edit below this line.=-...

7.6AI score
Exploits0References4
Rows per page
Query Builder