CVE-2026-35589

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to...

MAL-2026-4443 Malicious code in @shinzepelly/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957954ced5e6fb2e8ab6a666adf496ca2edc7575a4e202b593d6698b5d89809f Package impersonates the legitimate libsignal-node library description copied verbatim: "Open Whisper Systems' libsignal for Node.js" under an...

Malicious code in alya-baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 473103f2220a0215abf49be7e46ec1748052935ce188e0eee6ded08af7b47cf1 alya-baileys is a fork of the Baileys WhatsApp library that adds a hidden, remotely-controlled action channel against the installer's authenticated...

MAL-2026-4478 Malicious code in alya-baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 473103f2220a0215abf49be7e46ec1748052935ce188e0eee6ded08af7b47cf1 alya-baileys is a fork of the Baileys WhatsApp library that adds a hidden, remotely-controlled action channel against the installer's authenticated...

CVE-2026-35589

nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to...

CVE-2026-2577

The CVE concerns Nanobot’s WhatsApp bridge component, where the WebSocket server binds to all interfaces (0.0.0.0) on port 3001 by default and requires no authentication. An unauthenticated remote attacker with network access to the bridge can connect to the WebSocket server to hijack the WhatsAp...