Malicious code in zkjson (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816 package.json declares "preinstall": "./.github/scripts/precheck", pointing to a 976 KB Linux ELF executable sha256...

midnight-ownpublickey-attack

Bounty 295: Why ownPublicKey Can't Be Trusted for Access...

OrchidMantis

Orchid Mantis A Framework for ZKPoX — Zero-Knowledge Proof...

CVE-2026-40323

SP1 is a zero‑knowledge virtual machine that proves the correct execution of programs compiled for the RISC-V architecture. In versions 6.0.0 through 6.0.2, a soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof...

SP1 安全漏洞

SP1 is an open-source zero-knowledge virtual machine developed by Succinct. Versions 6.0.0 to 6.0.2 of SP1 contain security vulnerabilities. These vulnerabilities stem from defects in the recursive sharding verifier, which could allow malicious provers to construct invalid proofs...

CVE-2026-40323

SP1 (zero‑knowledge VM) has a soundness vulnerability in the V6 recursive shard verifier affecting versions 6.0.0–6.0.2, allowing a malicious prover to construct a recursive proof from a shard proof that the native verifier would reject. The issue is fixed in version 6.1.0. Impact is described as...

Password managers keep your passwords safe, unless…

I’m a big advocate of password managers. Granted, there are better alternatives for passwords like passkeys, but if a provider offers nothing but password options, which many do, you can’t do much about that. So, for the time being we seem to be stuck with passwords. Every reputable password...

CVE-2026-2974

A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file sharedprefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/keyderivationparams/authmethods leads to...

CVE-2026-2974

A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file sharedprefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/keyderivationparams/authmethods leads to...

CVE-2025-14547 ECJ-PAKE Integer Underflow Vulnerability in Silicon Labs PSA Crypto and SE Manager APIs

An integer underflow vulnerability is present in Silicon Lab’s implementation of PSA Crypto and SE Manager EC-JPAKE APIs during ZKP parsing. Triggering the underflow can lead to a hard fault, causing a temporary denial of service...

CVE-2025-14547

CVE-2025-14547 : An integer underflow in Silicon Labs’ PSA Crypto and SE Manager EC‑JPAKE APIs during ZKP parsing can trigger a hard fault, causing a temporary denial of service. Affected: Silicon Labs PSA Crypto and SE Manager EC‑JPAKE APIs. Root cause: integer underflow during ZKP parsing. Impa...

PT-2026-21016

Name of the Vulnerable Software and Affected Versions Silicon Labs PSA Crypto and SE Manager versions affected versions not specified Description An integer underflow issue exists in the EC-JPAKE APIs during ZKP parsing within Silicon Labs’ PSA Crypto and SE Manager implementation. Exploitation o...

Silicon Labs Gecko SDK和Silicon Labs Simplicity SDK 安全漏洞

The Silicon Labs Gecko SDK GSDK and Silicon Labs Simplicity SDK are both open-source products from Silicon Labs. The Silicon Labs Gecko SDK is a library that combines the Silicon Labs wireless software development kit SDK with the Gecko platform into an integrated software package. The Silicon La...

Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers

Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those...

Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers

A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. "The attacks range in severity from integrity violations to the complete compromise of all vaults in an...

Verifiable Provenance of Software Artifacts with Zero-Knowledge Compilation

Verifying that a compiled binary originates from its claimed source code is a fundamental security requirement, called source code provenance. Achieving verifiable source code provenance in practice remains challenging. The most popular technique, called reproducible builds, requires difficult...

LINEture: Novel Signature Cryptosystem

We propose a novel digital signature cryptosystem that exploits the concept of the brute-force problem. To ensure the security of the cryptosystem, we employed several mechanisms: sharing a common secret for factorable permutations, associating permutations with the message being signed, and...

ZkRansomware: Proof-Of-Data Recoverability and Multi-Round Game Theoretic Modeling of Ransomware Decisions

Ransomware is still one of the most serious cybersecurity threats. Victims often pay but fail to regain access to their data, while also facing the danger of losing data privacy. These uncertainties heavily shape the attacker-victim dynamics in decision-making. In this paper, we introduce and...

Passwd: A walkthrough of the Google Workspace Password Manager

Passwd is designed specifically for organizations operating within Google Workspace. Rather than competing as a general consumer password manager, its purpose is narrow, and business-focused: secure credential storage, controlled sharing, and seamless Workspace integration. The platform emphasize...

CVE-2025-66016

CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing requires 3 preprocessing rounds, identifiable abort, and a key refresh protocol. Prior to version 0.6.3, there is a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full...