MAL-2025-148098 Malicious code in spawn-io-cosmiconfig-jest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9e6b201351a9a51dd4418072852271e69f95ab27e86b442ea8598d9ae40f2b8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in vortex-norma-spawn-fusion (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d9871526da17ffbeb1990534998c1ea3e9b0812ae4bbd2867c1b095eabba085 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in spawn-figures-async-loglevel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56662d4f8f23678a960291b8d19f3aa545e75a2346fcb87bce99a7c591855648 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in upgrade-spawn-server-inquirer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a6ae84aa5b7fe85307aa839241cc7ad1bc03413134bad3133d229dd5cb63412 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-131184 Malicious code in wati-nasi31-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22b62bdd8bb3ef3715ffb99157ce4556fff230a13a94a9e9386c3fbdf826b89f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-76173 Malicious code in wawan-kacang97-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c3481849aeccab32d0e4fc8feb25e14eaaf16132ea6d85fa2eb9251ae40c667 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in iwan-telur91-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0948d6b17113169f89a36c7f264cb43c47f816c5d57f124e302327a478c053b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in tiara-miemee99-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37002bc3d9b417de9102e657e18767c1a66286588e129bc5609c25d689f932f1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "form-data 4.0.0, org.apache.cxfcxf-core 3.6.7 , net/http/internal v1.24.1, braces 3.0.2 , cross-spawn 7.0.3 , crypto/x509 1.24.1 1.24.3 , github.com/golang-jwt/jwt/v4 github.com/golang-jwt/jwt/v5 v4.5.0 v5.2.1 , httpd 2.4.37 , setuptools 78.0.2 75.8.0 ,...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses cross-spawn-6.0.5.tgz which is vulnerable to CVE-2024-21538

Summary Security Bulletin: IBM Maximo Application Suite - Manage Component uses cross-spawn-6.0.5.tgz which is vulnerable to CVE-2024-21538. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the...

NewStart CGSL MAIN 7.02 : nodejs Vulnerability (NS-SA-2025-0245)

The remote NewStart CGSL host, running version MAIN 7.02, has nodejs packages installed that are affected by a vulnerability: - Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper input...

happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. Details The untrusted script and the rest of the application still run in the same Isolate/process, s...

GHSA-QPM2-6CQ5-7PQ5 happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. Details The untrusted script and the rest of the application still run in the same Isolate/process, s...

EUVD-2019-3855

Malware in sbrugna...

EUVD-2021-0530

Malware in sbrugna...

EUVD-2016-7716

Malware in sbrugna...

EUVD-2016-7715

Malware in sbrugna...

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-986306)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-986306 advisory. In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix bad pointer dereference when ehandler kthread is invalid Commit 66a834d09293 scsi...

EUVD-2024-3189

Malicious code in bioql PyPI...

EUVD-2022-6402

Malicious code in bioql PyPI...