CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2 days ago•3 views

MAL-2026-5237 Malicious code in awaitly-mongo (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a6c7977dbc054cdb7fe56da0d2fbd26e2a6fed695deb4263ccbf4adfedd86acb The Miasma malware is a self-propagating worm that spreads across the npm registry by abusing weaponized binding.gyp files to achieve...

OSV•added 2 days ago•4 views

MAL-2026-5238 Malicious code in awaitly-postgres (npm)

OSV•added 2 days ago•3 views

MAL-2026-5215 Malicious code in autotel-backends (npm)

OSSF Malicious Packages•added 2 days ago•6 views

Malicious code in github-archiver (npm)

Vulnrichment•added 3 days ago•5 views

CVE-2026-41859

A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials Basic auth header or UAA client secret and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access...

7.8CVSS5.8AI score0.0001EPSS

Exploits0References1

Qualys Blog•added 5 days ago•9 views

The HazyBeacon Protocol – How Malware Weaponizes Amazon Web Services (AWS) Lambda Function URLs

Key Takeaways HazyBeacon CL-STA-1020 targets Southeast Asian government networks by abusing AWS Lambda Function URLs configured with AuthType: NONE as stealth command-and-control relays. Attackers use stolen IAM credentials to deploy Lambda functions that proxy malware communications through...

The Hacker News•added 2026/05/26 10:30 a.m.•24 views

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

Multi-factor authentication MFA was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal...

5.9AI score

HackRead•added 2026/05/20 12:32 p.m.•11 views

Verizon DBIR: AI Helped Hackers Exploit Vulnerabilities in 31% of Recent Breaches

Verizon DBIR 2026 reveals software vulnerabilities overtook stolen passwords in cyberattacks, with AI helping hackers exploit flaws within hours...

OSSF Malicious Packages•added 2026/05/19 6:58 p.m.•6 views

Malicious code in btd-smart (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199 The package presents itself as a clone of juliangruber/balanced-match stolen author identity 'Julian Gruber ', verbatim README, identical API renamed...

The Hacker News•added 2026/05/19 11:30 a.m.•10 views

The New Phishing Click: How OAuth Consent Bypasses MFA

In February 2026, a phishing-as-a-service PhaaS platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogi...

5.9AI score

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•8 views

Malicious code in @antv/gl-matrix (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•10 views

Exploits0References5

Malicious code in @antv/g6-ssr (npm)

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•8 views

Exploits0References5

Malicious code in @antv/g-plugin-svg-picker (npm)