20882 matches found
Malicious code in ai-pro-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b035f137addcf0118c3d042ece322d0fdde054e4ed283317d3b2adb309e38689 [email protected] is advertised as a Vercel AI SDK provider for Claude via the Claude Agent SDK, but the published tarball ships no code: package.json...
Malicious code in eth-lib-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13895e2e8ee4aa9683c2fd6f0f873a38b19bbc5af207233e22c51668bc7dba41 Package [email protected] impersonates @ethereumjs/util / ethereumjs-util README, author list, repository URL, and source tree copied from the...
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/[email protected] , came embedded wi...
Malicious code in cookie-parser-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the...
Malicious code in nodemon-gulp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 18cfb051ae84a8ed00bba3ae1eaf7720ec6479a402ae0540c6d66a7fa304f52a Package is published as nodemon-gulp but its contents are a verbatim copy of the upstream nodemon project: package.json declares author: Remy Sharp,...
UBUNTU-CVE-2026-58501
Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbidexternal is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fix...
CVE-2026-59948 Composer: Arbitrary file write outside vendor via malicious transitive package name
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project...
CVE-2026-59948
CVE-2026-59948 affects Composer (PHP dependency manager). A malicious package from an untrusted repo (not Packagist.org/Private Packagist) with an invalid name could cause install/update to write attacker-controlled files outside the vendor directory and project. Root cause: failure to validate t...
CVE-2026-59948 Composer: Arbitrary file write outside vendor via malicious transitive package name
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project...
CVE-2026-58501
Zeep (Python SOAP client) is affected in versions 4.0.0 through before 4.3.3, where Settings.forbid_external is defined but not enforced during WSDL/XSD parsing. This allows transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker‑controlled HTTP/HTTPS ...
pnpm < 10.34.0 / 11.x < 11.4.0 Multiple Vulnerabilities
The version of pnpm installed on the remote host is prior to 10.34.0, or 11.x prior to 11.4.0. It is, therefore, affected by multiple vulnerabilities: - pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses tha...
CVE-2026-13149
A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the expand function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-lo...
Malicious code in thirdwb (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's...
coati-payroll (>=1.0.1 <=1.10.0), now-lms (>=1.0.3 <=1.2.3) +1 more potentially affected by CVE-2026-27641 via flask-reuploaded (>=1.2.0 <=1.4.0)
flask-reuploaded PYPI version =1.2.0, =1.0.1, =1.0.3, =4.6.1, =5.0.0 Source cves: CVE-2026-27641 Source advisory: OSV:PYSEC-2026-341...
EUVD-2026-39494
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement...
CVE-2026-50016
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...
CVE-2026-50016
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...
CVE-2026-50016 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...
CVE-2026-50016
pnpm (the package manager) is affected by CVE-2026-50016. Before versions 10.34.0 and 11.4.0, a transitive dependency alias from registry metadata could include path traversal segments. During install, pnpm may treat that alias as a filesystem path when linking dependency nodes, allowing a regist...
CVE-2026-50016 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...