Lucene search
K

16 matches found

EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-0695

Malicious code in bioql PyPI...

7.5CVSS5.7AI score0.00553EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-1009

Malicious code in bioql PyPI...

7.1CVSS6.8AI score0.00666EPSS
Exploits1References6
The Hacker News
The Hacker News
added 2025/08/01 12:20 p.m.10 views

AI-Generated Malicious npm Package Drains Solana Funds from 1,500+ Before Takedown

Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence AI and concealed a cryptocurrency wallet drainer. The package, @kodane/patch-manager, claims to offer "advanced license validation and registry optimization utilities for high-performan...

7.2AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 10:10 a.m.7 views

CVE-2024-31455

Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit 5c381cf added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would...

4.3CVSS7.3AI score0.00765EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:12 a.m.9 views

CVE-2024-35185

Minder is a software supply chain security platform. Prior to version 0.0.49, the Minder REST ingester is vulnerable to a denial of service attack via an attacker-controlled REST endpoint that can crash the Minder server. The REST ingester allows users to interact with REST endpoints to fetch dat...

5.3CVSS6.9AI score0.00465EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2025/03/15 5:55 a.m.34 views

Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal

Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index PyPI repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as cloud access tokens. Software supply chain...

7.4AI score
Exploits0
CVE
CVE
added 2025/02/24 8:59 p.m.59 views

CVE-2025-27137

Summary: CVE-2025-27137 affects Dependency-Track where templates are evaluated with Pebble and can be manipulated via the include tag. Prior to version 4.12.6, users with the SYSTEM_CONFIGURATION permission could exploit include to read arbitrary local files (e.g., /etc/passwd, /proc/1/environ) b...

4.4CVSS6.5AI score0.00175EPSS
Exploits0References6
Schneier on Security
Schneier on Security
added 2025/02/12 12:9 p.m.10 views

Delivering Malware Through Abandoned Amazon S3 Buckets

Here's a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don't realize that they have been abandoned, and still...

7.5AI score
Exploits0
Vulnrichment
Vulnrichment
added 2024/05/27 5:12 p.m.14 views

CVE-2024-35238 Denial of service of Minder Server from maliciously crafted GitHub attestations

Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service DoS attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that...

5.3CVSS6.8AI score0.0053EPSS
Exploits0References3
The Hacker News
The Hacker News
added 2024/04/27 5:12 a.m.41 views

Bogus npm Packages Used to Trick Software Developers into Installing Malware

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEVPOPPER, linking it to North Korean threat...

7AI score
Exploits0
CVE
CVE
added 2024/03/06 8:21 p.m.75 views

CVE-2024-27916

Minder prior to version 0.0.33 is affected by an access-control flaw where authenticated users can leverage GetRepositoryByName, DeleteRepositoryByName, and GetArtifactByName to access any repository in the database. The underlying issue is that the DB query checks repo owner, repo name, and prov...

7.1CVSS6.8AI score0.00666EPSS
Exploits1References4Affected Software1
The Hacker News
The Hacker News
added 2023/08/23 6:33 a.m.48 views

Over a Dozen Malicious npm Packages Target Roblox Game Developers

More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers. The ongoing campaign, first detected on August...

7.1AI score
Exploits0
The Hacker News
The Hacker News
added 2023/03/24 1:40 p.m.92 views

Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

A malicious Python package on the Python Package Index PyPI repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware. The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and...

7.1AI score
Exploits0
The Hacker News
The Hacker News
added 2022/12/24 12:51 p.m.33 views

W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names

Threat actors have published yet another round of malicious packages to Python Package Index PyPI with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade...

0.5AI score
Exploits0
The Hacker News
The Hacker News
added 2022/10/12 2:28 p.m.31 views

Scribe Platform: End-to-end Software Supply Chain Security

As software supply chain security becomes more and more crucial, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use. In fact, in Gartner recently published their 2022 cybersecurity predictions - not only do they...

7.6AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2021/06/01 12:30 p.m.40 views

How the Biden Administration's cybersecurity order will affect companies

“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” The Biden Administration recently issued Executive Order EO 14028, “Improving the Nation’s Cybersecurity,” to...

7.2AI score
Exploits0
Rows per page
Query Builder