MAL-2026-4853 Malicious code in @service-suppliers/set_selected_supplier_action_saga (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7dd674623e86de8efd6f88b138b7e387d1b96e80c48d9a6e8ab81e0189fcf990 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3839 Malicious code in @antv/x6 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency CISA maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive...

CVE-2026-40981

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the Engine::error function. An attacker can obtain sensitive information, such as absolute filesystem paths, secrets embedded in exception messages, and internal module structure, by triggering an uncaught...

CVE-2026-32690

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to...

CVE-2026-35484

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadpreset allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs including passwords, API keys, connection...

CVE-2026-35484

The CVE-2026-35484 issue affects text-generation-webui, an open-source web interface for running LLMs. It describes a path traversal vulnerability in the load_preset() function present before version 4.3, which allows an unauthenticated attacker to read any .yaml file on the server filesystem. Th...

CVE-2026-35484 text-generation-webui has a Path Traversal in load_preset() — .yaml file read without authentication

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadpreset allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs including passwords, API keys, connection...

Malicious code in strapi-plugin-hextest (npm)

strapi-plugin-hextest is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...

MAL-2026-2462 Malicious code in strapi-plugin-form (npm)

strapi-plugin-form is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...

EUVD-2026-13501

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...

CVE-2026-1699

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pullrequesttarget trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to...

EUVD-2026-1462

Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles...

CVE-2025-64305

The connected sources describe a vulnerability in Columbia Weather Systems MicroServer where portions of the system firmware are copied to an unencrypted external SD card on boot, exposing user and vendor secrets in plaintext. This exposure could enable an attacker on the local network with admin...

CVE-2025-64305 Columbia Weather Systems MicroServer Cleartext Storage in a File or on Disk

MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal...

EUVD-2025-202454

PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from...

CVE-2025-20373 Sensitive Information Disclosure in “_internal“ index through Splunk Add-On for Palo Alto Networks

In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the internal index during the addition of new “Data Security Accounts“. The vulnerability would require either local access to the log files or administrative access to internal indexe...

MAL-2025-190657 Malicious code in @asyncapi/generator-helpers (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1fb4a795f9e4f1dc8304d727b4b4a4b6d4024952675eb497e79b9f78fa2b96ca The package @asyncapi/generator-helpers was found to contain malicious code. Source: ghsa-malware...

MAL-2025-47373 Malicious code in @art-ws/config-ts (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e845947405bf6a59280848d6a325827b53bdca23c8a3b28e4db032075842cccb Any computer that has this package installed or running should be considered fully compromised. All...