84 matches found
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview node-ipc is an A nodejs module for local and remote Inter Process Communication IPC, Neural Networking, and able to facilitate machine learning. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an advanced credential-stealing infostealer. A...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
Unity Linux 20.1060e / 20.1070e Security Update: rpm (UTSA-2026-017547)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017547 advisory. A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly...
CVE-2026-33467
Improper Verification of Cryptographic Signature CWE-347 in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing close...
CVE-2026-33467 Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass
Improper Verification of Cryptographic Signature CWE-347 in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing close...
PT-2025-47339
Name of the Vulnerable Software and Affected Versions GoSign Desktop versions 2.4.0 and earlier Description GoSign Desktop versions 2.4.0 and earlier utilize an unsigned update manifest for application updates. This manifest includes package URLs and SHA-256 hashes, but lacks digital signing,...
Malicious code in exoplanetology-superflare-webdriver-manager-ablation (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 800b42a3bfdd28d0c3ac9ded87a82fc2ba32435358b33137c1041c7234b418bf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in pi-compress-grid-class-fast (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13a6d671c689d2c3dfcd0d0dbaee3226495d7038edcc575e8554523c622d82ab This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187649 Malicious code in jwt-rest-jest-pm2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02d14fa447358c02a9d824fc3d31f4bf2eb4969999e71f2031f7f9dbacb0e360 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188538 Malicious code in paleontology-sublimation-europa-backend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 728852e6894f3773a238ae2b14622827618e7e93dec54e4f2b126446b439cd68 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-186048 Malicious code in centauri-leda-playwright-cygnus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7671ad2b6e8453e44752aa7977970a925b638a23e89cc48acf0f5ed0d5abd921 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187161 Malicious code in geodynamo-callback-less-eclipse (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45c4458ad3238e5de7a67c222d870ebe2709d938149bc1b8763330abcf4a23e5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...