53 matches found
Malicious code in terminal-mascot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3fdf1ac60d0060cb78970c884bcfa7bb5360d9f700c0f8992b66af09cce22ae [email protected] ships a postinstall script install-check.cjs that resolves a bundle URL from a remote JSON config at...
MAL-2026-10424 Malicious code in terminal-mascot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3fdf1ac60d0060cb78970c884bcfa7bb5360d9f700c0f8992b66af09cce22ae [email protected] ships a postinstall script install-check.cjs that resolves a bundle URL from a remote JSON config at...
Malicious code in polymarket-trading-developer-tool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 30ffc35841039a7a95d8b5590db211f34b662975513f3a054b8be282f0858c99 The package's postinstall lifecycle script performs install-time remote code execution. It reads a bundle URL from a JSON config hosted at...
Amazon Linux 2023 : rclone (ALAS2023-2026-1907)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1907 advisory. Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD reques...
Malicious code in clob-client-math (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b36bbf14a743630a93ba7f8d7529d3fae8073f0f585af4343506be6248fc1b59 [email protected] ships a postinstall script install-check.cjs that fetches a JSON config from...
Malicious code in poly-kelly (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d3df5266b6e9d9347844e4e054ab744aad9517c6f55df4e68e6c6815e843da7 On npm install, the package's postinstall script reads the homepage field from package.json set to...
Rclone 1.46.x < 1.74.3 Unauthenticated Command Execution
The version of Rclone installed on the remote host is 1.46.x prior to 1.74.3. It is, therefore, affected by an unauthenticated command execution vulnerability: - rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form /remote:path/object. The remote value is parse...
MAL-2026-6163 Malicious code in framerate-interaction-permissions (npm)
The npm package framerate-interaction-permissions published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it...
MAL-2026-6166 Malicious code in jest-macos (npm)
The npm package jest-macos published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
MAL-2026-6160 Malicious code in firebase-readability (npm)
The npm package firebase-readability published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
MAL-2026-6181 Malicious code in virtualization-compression-collapse (npm)
The npm package virtualization-compression-collapse published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it...
MAL-2026-6170 Malicious code in onesignal-hooks (npm)
The npm package onesignal-hooks published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
MAL-2026-6156 Malicious code in documents-widgets (npm)
The npm package documents-widgets published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
MAL-2026-6145 Malicious code in accordion-animationtiming-authorization (npm)
The npm package accordion-animationtiming-authorization published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component moun...
MAL-2026-6178 Malicious code in streaming-downloads (npm)
The npm package streaming-downloads published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
MAL-2026-6173 Malicious code in profiling-keychain (npm)
The npm package profiling-keychain published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
Malicious code in noteparse (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 270d4c797fe34bc0b9598608f45add8721f1fa80d1488e4fae750e3a7b38419e noteparse 1.1.27 ships live MinIO credentials in configReader.py endpoint uicfile.uniview.com, accesskey 'uicpro', secretkey 'uicpropass123' that are...
Malicious code in common-tg-service (npm)
Malicious npm package published by user shetty123 as part of a Telegram account hijacking framework targeting Indian Telegram users. All 502 published versions 1.0.1 through 1.3.207 are malicious. Pairs with ams-ssk, which provides the operator's server-side AMS/CMS infrastructure...
OpenClaw 访问控制错误漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.12 had a access control vulnerability. This vulnerability stemmed from the Nostr plugin exposing unvalidated HTTP endpoints, which could allow remote attackers to read sensitive configuration file da...
CVE-2021-35486
A Cross-Site Request Forgery CSRF vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie...