7 matches found
CVE-2026-13323
In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...
CVE-2026-13323
In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...
MAL-2026-5918 Malicious code in nottuff7 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 15a5e98054661d6eea29d8120457ffc7e00d7b516223a5fa6ec91355e9434652 The tarball ships auto-publish.sh, a script that republishes the same payload under 100 distinct npm names ishowfeet1-ishowfeet20, nottuff1-nottuff30...
Malicious code in @link-assistant/hive-mind (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7dfeaad3a9eda8f440dabe165d4ff6ba593c9858b9752d9bded19b05b292072a The package fetches https://unpkg.com/use-m/use.js — an unpinned URL that resolves to the latest published version of the third-party use-m package —...
175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign
Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread...
MAL-2022-696 Malicious code in @unpkg-semver/pedops-logger (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e7b5459fd755d4527552fb55fb90015ab04eee1a1afd2678656b04c0ea32ec19 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-697 Malicious code in @unpkg-semver/wix-recorder (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 910f14b4935796b6ad35693ca2a4f0c5d3c04eefe4ebd6da1e7b75cfc03fb1fe Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...