IPAM controller service account granted unnecessary full access to Secrets

Impact IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were...

CVE-2025-55285 @backstage/plugin-scaffolder-backend Template Secret Leakage in Logs in Scaffolder When Using `fetch:template`

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If $ secrets.x is not passed...

MAL-2025-165 Malicious code in bbc-http-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 607310f08b0c054bccf0fd5902e86de74b458d5c11110bdb411ac30b04c0db95 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...