Malicious code in @cloudplatform-single-spa/secret-manager (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Empty Password in Configuration File

Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Empty Password in Configuration File through the GoogleSecretManagerV1AccessStrategy in the...

MAL-2026-3309 Malicious code in google-cloud-secret-manager-config-poc (npm)

Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values e.g. 99.9.x, 100.1.x to win npm resolution against private internal packages. All packages...

MAL-2026-3000 Malicious code in xinference (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1d006f6a08c959393160456d4ace221fd165b6d609fc8356ebfb041979aef93d Versions 2.6.0, 2.6.1, 2.6.2 were compromised. Following a malicious pull request that exfiltrated sensitive data from the CI runner, three malicious PyPI...

aws-secrets (>=0.1.0 <=0.1.1), aws-secretsmanager-cache (>=0.1.0 <=0.5.0) +4 more potentially affected by unknown CVE via aws-sdk-secretsmanager (>=0.0.25-alpha <=0.9.0)

aws-sdk-secretsmanager CARGO version =0.0.25-alpha, =0.1.0, =0.1.0, =0.1.0, =0.6.0, =2.0.0, =2.0.1 - secrets-manager-macro =0.1.0 Source cves: unknown CVE Source advisory: OSV:GHSA-G59M-GF8J-GJF5...

CVE-2025-54428 RevelaCode exposes Sensitive MongoDB Atlas URI in .env (potential credential leak)

RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow...

CVE-2025-54428

CVE-2025-54428 affects RevelaCode prior to 1.0.1. A valid MongoDB Atlas URI with embedded credentials was committed to the public repository, enabling potential unauthorized access to production or staging databases and possible data exfiltration, modification, or deletion. The issue is resolved ...

AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs

New cybersecurity research has found that command-line interface CLI tools from Amazon Web Services AWS and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. "Some...

envoy/server_fuzz_test: Heap-use-after-free in std::__1::__hash_iterator<std::__1::__hash_node<std::__1::__hash_value_type<std:

Project: https://github.com/envoyproxy/envoy.git Detailed report: https://oss-fuzz.com/testcase?key=5761881319407616 Project: envoy Fuzzer: libFuzzerenvoyserverfuzztest Fuzz target binary: serverfuzztest Job Type: libfuzzerasanenvoy Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash...