360 matches found
Malicious Package
Overview pc-analytics-promotion-creation-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization a...
Why Software Signing (Still) Matters: Trust Boundaries in the Software Supply Chain
Software signing provides a formal mechanism for provenance by ensuring artifact integrity and verifying producer identity. It also imposes tooling and operational costs to implement in practice. In an era of centralized registries such as PyPI, npm, Maven Central, and Hugging Face, it is...
EUVD-2023-1882
Malicious code in bioql PyPI...
EUVD-2025-29227
Malicious code in bioql PyPI...
EUVD-2025-29229
Malicious code in bioql PyPI...
EUVD-2022-43161
Malicious code in bioql PyPI...
EUVD-2023-1763
Malicious code in bioql PyPI...
[SECURITY] Fedora 42 Update: skopeo-1.20.0-3.fc42
Command line utility to inspect images and repositories directly on Docker registries without the need to pull them...
GHSA-FRH7-2F84-V9MW [email protected] contains malware after npm account takeover
Impact On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's ow...
GHSA-6JP5-HH4C-8C5H [email protected] contains malware after npm account takeover
Impact On 8 September 2025, an npm publishing account for error-ex was taken over after a phishing attack. Version 1.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own...
[email protected] contains malware after npm account takeover
Impact On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's...
GHSA-286P-VC9P-P5QV [email protected] contains malware after npm account takeover
Impact On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's...
CVE-2025-59145 [email protected] contains malware after npm account takeover
color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrenc...
CVE-2025-59162
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added...
CVE-2025-59330
The CVE-2025-59330 entry concerns the npm package error-ex . A phishing-driven takeover of its publishing account led to version 1.3.3 containing a malware payload that attempts to redirect cryptocurrency transactions from browser environments (e.g., MetaMask) to attacker addresses. Local/server/...
CVE-2025-59162 [email protected] contains malware after npm account takeover
color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added...
CVE-2025-59143 [email protected] contains malware after npm account takeover
color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to...
CVE-2025-59143
Summary (CVE-2025-59143) : The issue affects the npm package color ([email protected]). An account takeover via phishing allowed an attacker to publish a malicious patch that inserts a payload in the browser context to redirect cryptocurrency transactions to attacker-owned addresses (e.g., wallets like...
CVE-2025-59141 [email protected] contains malware after npm account takeover
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect...
CVE-2025-59141
CVE-2025-59141 concerns the Node.js package simple-swizzle. An account takeover via phishing led to a malicious 0.2.3 release that, when used in browser contexts (e.g., direct script tags or bundlers), attempts to redirect cryptocurrency transactions to attacker-controlled addresses. Local/server...