crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate

A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the HostnameError.Error function. This flaw, caused by unbounded string concatenation, leads to excessive resource...

GHSA-HXPF-9XVQ-WPH8 netlicensing-mcp: REST Path Traversal Bypasses Token Redaction

REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensinggetproduct MCP tool in netlicensing-mcp interpolates a caller-controlled productnumber argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...

netlicensing-mcp: REST Path Traversal Bypasses Token Redaction

REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensinggetproduct MCP tool in netlicensing-mcp interpolates a caller-controlled productnumber argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...

Malicious code in randpicker (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 378d07b700aa25d356594d7b1c42db107def3dbd1cce734e4c1c50b411048eb6 When calling the Email function, the code creates a backdoor script and attempts to achieve persistence. The script connects to a Telegram bot and awaits...

MAL-2026-6138 Malicious code in randpicker (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 378d07b700aa25d356594d7b1c42db107def3dbd1cce734e4c1c50b411048eb6 When calling the Email function, the code creates a backdoor script and attempts to achieve persistence. The script connects to a Telegram bot and awaits...

Malicious code in @gbrlxvi/ts-project-lint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8 The package's main module index.js also loaded indirectly by bin/cli.js reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a...

MAL-2026-6121 Malicious code in @gbrlxvi/ts-project-lint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8 The package's main module index.js also loaded indirectly by bin/cli.js reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a...

Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin

On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary...

Malicious code in ratelimitsucks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f Package is not a library. main points at sw.js, a browser Service Worker that uses importScripts, self.addEventListener'fetch'|'install'|'activate',...

MAL-2026-6135 Malicious code in ratelimitsucks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f Package is not a library. main points at sw.js, a browser Service Worker that uses importScripts, self.addEventListener'fetch'|'install'|'activate',...

Malicious code in ratelimitsucks6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0 ratelimitsucks6 is one variant in a numerically-iterated family ratelimitsucks1, ratelimitsucks2,... generated by auto-publish.sh shipped inside the...

MAL-2026-6136 Malicious code in ratelimitsucks6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0 ratelimitsucks6 is one variant in a numerically-iterated family ratelimitsucks1, ratelimitsucks2,... generated by auto-publish.sh shipped inside the...

Malicious code in abuden221 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90 The tarball is a static-site / web-proxy build index.html, /assets/.js bundles with obfuscated names, a.well-known/discord verification file, brandin...

Malicious code in abuden22 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...

MAL-2026-6129 Malicious code in abuden22 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...

MAL-2026-6130 Malicious code in abuden221 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90 The tarball is a static-site / web-proxy build index.html, /assets/.js bundles with obfuscated names, a.well-known/discord verification file, brandin...

Malicious code in abuden218 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66 Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry importScripts that throws when...

MAL-2026-6128 Malicious code in abuden218 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66 Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry importScripts that throws when...

Malicious code in panrouter-admin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 390c706978c9207807a0aeb4b1e3dfc500847828c23f5ffb06a14171ca8e51e6 panrouter-admin ships relayclient.cjs, which connects to a hardcoded WebSocket endpoint at wss://jiuling.xyz/ws, registers the host with an identity ...

MAL-2026-6134 Malicious code in panrouter-admin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 390c706978c9207807a0aeb4b1e3dfc500847828c23f5ffb06a14171ca8e51e6 panrouter-admin ships relayclient.cjs, which connects to a hardcoded WebSocket endpoint at wss://jiuling.xyz/ws, registers the host with an identity ...