Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner

Popular npm packages, Rspack and Vant, were recently compromised with malicious code. Learn about the attack, the impact, and how to protect your projects from similar threats...

in youzan/vant

✍️ Description The @vant/cli package is vulnerable to Regular Expression Denial of Service ReDoS. An attacker that is able to provide a crafted string as the input to the decamelize function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex...

0526caikuai-kb (=1.0.0), 51kkappframework (>=1.0.0 <=1.0.6) +1473 more potentially affected by unknown CVE via vant (>=0.10.9 <=2.1.7)

vant NPM version =0.10.9, =1.0.0, =1.0.0-1e3ea9, =1.0.2-5e5425, =0.1.55, =0.4.2-0.0.1, =0.4.2-0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1-alpha, =0.0.26 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9XR8-8HMC-389F...

Cross-Site Scripting in vant

Versions of vant prior to 2.1.8 are vulnerable to Cross-Site Scripting. The text value of the Picker component column is not sanitized, which may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 2.1.8 or later...

GHSA-9XR8-8HMC-389F Cross-Site Scripting in vant

Versions of vant prior to 2.1.8 are vulnerable to Cross-Site Scripting. The text value of the Picker component column is not sanitized, which may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 2.1.8 or later...