MAL-2026-4336 Malicious code in webservices.rest-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c9c78a4d0c87def69bbc5337e41a730e7ca6ae898426759915f053dc584581c package.json declares both preinstall and postinstall hooks that execute index.js, which exfiltrates installer data to a base64-encoded Cloudflare...

sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)

In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token CI build logs, container env dumps...

MAL-2026-3525 Malicious code in @uipath/agent-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 67d0350668580724b1a764da5a9904350fcf8127bed8144c82a4cf966517b1ce Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3511 Malicious code in @mistralai/mistralai-azure (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector af58e099ab615b8869cb741b5604f6becdf1e9d1d7c5ac326f9c4065f5f590f6 The package @mistralai/mistralai-azure was found to contain malicious code. Source: ghsa-malware...

Malicious code in @w3m-app/switch_network (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7b0fe342478f8fa59c7d24a50e0105c12841f0ef1b7e96443843c2f3eba85a5 The package @w3m-app/switchnetwork was found to contain malicious code. Source: ghsa-malware...

Malicious code in @automagik/genie (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a6e7702eae0e8ff480f6f47624128cb3bf2ad5934d6c6a9a5481f3ac424db40 The package @automagik/genie was found to contain malicious code. Source: ghsa-malware 00207299cc0b9ee634f5850f194f399c6164fd4621989a43f8e5f9353d3707...

CVE-2026-33266

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a...

Malicious code in @emilgroup/tenant-sdk-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d887c661a1552423bf923bf1028ef4aabb762dc2fa329db39e8b4552ce32803 The package @emilgroup/tenant-sdk-node was found to contain malicious code. Source: ghsa-malware...

Malicious code in timeout-ts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1df00c4c63fa8e52f67bf4d40b5dadae1ddcb640d127546671ce2bf53b5eafa7 The package timeout-ts was found to contain malicious code. Source: ghsa-malware 16cf2a5883796e1a03bb6cc6da0182692fa5962abe42950ba3d95709ca928a71 Any...

MAL-2026-149 Malicious code in bnia-work (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f78b12fa102dbd32d8d3a27c016f7b790124a3a73bdf1970768799e120183c30 The package bnia-work was found to contain malicious code. Source: ghsa-malware 2583fa3177342feb8975727c7ad5873d1a1e7bea2ce3ce445343aaa9a0b3459b Any...

MAL-2025-192596 Malicious code in starling-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02cb3e1a7a02e3f4215b9e7e7d4f0034bd086085c49a157f37ecf151a9009610 The package starling-api was found to contain malicious code. Source: ghsa-malware a935f963069dc7da39338aa1f718ac33babb8d366d6e23c489a4515b776d6577 A...

MAL-2025-191171 Malicious code in @accordproject/concerto-analysis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd4dfaf2dbfd72597ed98e94903934d34e97ddd5dc4f7aeb7f5450767cb3a34c The package @accordproject/concerto-analysis was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191089 Malicious code in express-starter-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f7f0e424be1b6e1710d9f2670a4a9b6fbc48636560f8af2025d15de19f01e03 The package express-starter-template was found to contain malicious code. Source: ghsa-malware...

MAL-2025-190781 Malicious code in scgsffcreator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca94ec4e3681855a45287e7aebaa6293b5416e803022d7fb318e447cd18f49bc The package scgsffcreator was found to contain malicious code. Source: ghsa-malware 57471dc81b8368989c69a7f00f7b480aa7036def63b216094e6aca18730e0a16...

Malicious code in oxrvxxxxxaslllcaj (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cbb43c3aa5e1fe9b33fc7a3c3a439ef7edd69817df8984551602b834f7b64584 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @art-ws/package-base (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 83ba9ddbeaff9ca9f10da444f6eebc52dd7ffa99def6e187eab42dac24a4d7de Any computer that has this package installed or running should be considered fully compromised. All...

Malicious code in mstate-react (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 997c10662d47fa55ca8cd4db612274bf4d589c7d82d079b48fae3261bb5c65a7 Any computer that has this package installed or running should be considered fully compromised. All...

Malicious code in cordova-plugin-voxeet2 (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 96ae7ef5d43ef45901a8613d236559761bb72ca1729594ffc8b3df8200250094 Any computer that has this package installed or running should be considered fully compromised. All...

Malicious code in xo-wallet-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 94fd297d5bd2cbf348e88599e570974a4fc9f65f7bf3cdda6bf6a69e8dc8dd44 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-54887

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk becau...