Malicious code in snapshot-date (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8e86008d35e5f11e68c465940563127cdc9ba1d4b2963f092914bf8e9ce2587b This campaign is built from two parts: 1 packages named like time-check-server, snapshot-photo contain an innocent-looking code that sends "date" to a remote...

cc.ddrpa.dorian.polystash:polystash-spring-boot-starter (=1.0.0), com.alibaba.fastjson2:fastjson2-extension (>=2.0.27 <=2.0.62) +39 more potentially affected by CVE-2025-12183 via org.lz4:lz4-pure-java (=1.8.0)

org.lz4:lz4-pure-java MAVEN version =1.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.lz4:lz4-pure-java and may be impacted: - cc.ddrpa.dorian.polystash:polystash-spring-boot-starter =1.0.0 - com.alibaba.fastjson2:fastjson2-extension =2.0.27,...

EUVD-2025-199243

Malicious code in uniswap-test-sdk-core npm...

MAL-2025-25599 Malicious code in lootsie-sdk-core-es5 (npm)

The package lootsie-sdk-core-es5 was found to contain malicious code...

MAL-2025-17325 Malicious code in com.microsoft.azure.spatial-anchors-sdk.core (npm)

The package com.microsoft.azure.spatial-anchors-sdk.core was found to contain malicious code...

MAL-2025-25755 Malicious code in mag-sdk-core (npm)

The package mag-sdk-core was found to contain malicious code...

Malicious code in mag-sdk-core (npm)

The package mag-sdk-core was found to contain malicious code...

MAL-2025-191679 Malicious code in amzclients-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7918a5aab99f521336ce5a17ca3b3dae77256011f91ed8dc22c4d9a38123f539 This campaign is built from two parts: 1 packages named like time-check-server, snapshot-photo contain an innocent-looking code that sends "date" to a remote...

Malicious code in aliyun_sdk-core (RubyGems)

--- -= Per source details. Do not edit below this line.=-...

@sap-cloud-sdk/core (>=1.48.2-20210910061518.0 <=1.49.1-20210922143656.0), @sap/approuter (>=5.1.0 <=14.4.1) +12 more potentially affected by CVE-2023-49583 via @sap/xssec (>=1.3.0 <=3.5.0)

@sap/xssec NPM version =1.3.0, =1.48.2-20210910061518.0, =5.1.0, =2.2.3, =3.2.0, =0.0.2, =1.9.14, =1.14.1, =2.0.5, =1.0.0, =1.202002.1, =1.1.0, =0.1.92, =0.1.0, =0.4.1 Source cves: CVE-2023-49583 Source advisory: OSV:GHSA-P2VX-QJ66-88Q3...

ch.admin.bag.covidcertificate:sdk-core (>=1.1.0-dev-3 <=3.3.0-dev-54), com.augustcellars.cose:cose-java (>=1.0.0 <=1.1.0) +28 more potentially affected by CVE-2024-23684 via com.upokecenter:cbor (>=4.0.0 <=4.5)

com.upokecenter:cbor MAVEN version =4.0.0, =1.1.0-dev-3, =1.0.0, =1.2.0, =1.2.0, =1.5.0, =1.5.0, =1.5.0, =6.3.0-RC3, =6.3.0-RC3, =6.3.0-RC3, =1.7.1, =2.3.1, =2.4.0, =3.2.0 and more Source cves: CVE-2024-23684 Source advisory: OSV:GHSA-FJ2W-WFGV-MWQ6...

Improper Authorization in @sap-cloud-sdk/core

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT...