Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp

Mistral npm @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp were compromised by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm package versions being published. Current investigation...

Improper Access Control

mautic/core is vulnerable to Improper Access Control. The vulnerability is due to missing enforcement of update settings restrictions, which allows a low-privileged user to install or remove arbitrary packages and execute malicious code for privilege escalation...

Malicious Package

Overview @sporting-life/sportinglife-betslip-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organizatio...

CVE-2025-13828

SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges...

CVE-2025-13828

Mautic platform; a flaw in the composer-based update/Marketplace flow allows a non-privileged user to install and remove arbitrary composer packages despite the enable-composer-based-update flag. Root cause: improper privilege management in the Marketplace integration enabling privilege escalatio...