Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

PT-2026-28602

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

MAL-2025-4073 Malicious code in create-qr-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 58919bf64984f8dcdd4ec2802325f47fd7ef1a21aa8f1cb4d9c64549054122bc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3826 Malicious code in defipulse-adapters (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 14d5536c5f6bcb7069516bd2682ee50724915e891c5f1aa5c68ef38d32f9e2d3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1177 Malicious code in sol-wallet-adapter-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8b73b8c9916aaa68a346fd8bc05ae98f04028ce384654c5ece31bbf68657a7be Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-83 Malicious code in ebay-connect (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4d19ac42f1b12b95f81ed89c55872795f9fceb4ea498c981624eb1eb04828bcd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-8539 Malicious code in @diotoborg/quae-vel (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bb02f6892551fabf8edede99a4e58de6a15242ca7681930f78ae98c4c3a3e9cb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-7806 Malicious code in overflood (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2742524e3d45bc5658d4f5feb0b8e3a1260967a2770e238934fa475a7e7e211b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-115 Malicious code in @azure-tests/perf-storage-file-share-track-1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a77a70aec760d01762f6eea825194c2d558174a44b966b59043ce3f9424626f0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-1227 Malicious code in azure-ai-form-recognizer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b16105a8fd2ecfc0ef734929e5c29a2ecf82852ce08f85eeeafd664643e61e81 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-2603 Malicious code in du_npm_integ (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b2244883b8339efbd2bb7b97adb76d2fbf350e6b4913aa9907e6125a3ebc77aa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...