Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Arbitrary File Write

Overview Versions of iobroker.admin prior to 3.6.12 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended folder in the /log/ route, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated t...

Machine-In-The-Middle

Overview All versions of lix are vulnerable to Machine-In-The-Middle. The package accepts downloads with http and follows location header redirects for package downloads. This allows for an attacker in a privileged network position to intercept a lix package installation and redirect the download...

Machine-In-The-Middle

Overview Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept...

Improper Key Verification

Overview Versions of openpgp prior to 4.2.0 are vulnerable to Improper Key Verification. The OpenPGP standard allows signature packets to have subpackets which may be hashed or unhashed. Unhashed subpackets are not cryptographically protected and cannot be trusted. The openpgp package does not...

Sensitive Data Exposure

Overview Versions of seneca prior to 3.9.0 are vulnerable to Sensitive Data Exposure. When a process using the package crashes all environment variables are printed. This may leak sensitive data such as access keys, especially given scenarios when log-monitoring systems store the error output...

Cross-Site Scripting

Overview All versions of status-board are vulnerable to Cross-Site Scripting. The renderJsDashboard function concatenates the safeDashboard variable to the HTTP response message with insufficient sanitization. If this variable is controlled by user input it may allow attackers to execute arbitrar...

Path Traversal

Overview All versions of statichttpserver are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package until a...

Denial of Service

Overview Versions of parse-server prior to 3.4.1 are vulnerable to Denial of Service DoS. POST requests to /parse/classes/Audience or other volatile classes cause the server to respond with a 500 Internal Server Error for any subsequent POST requests. Recommendation Upgrade to version 3.4.1 or...

Sensitive Data Exposure

Overview Versions of msrcrypto prior to 1.4.1 are vulnerable to Sensitive Data Exposure. The package's Elliptic Curve Cryptography ECC implementation may leak information about a server's private ECC key. It can also allow attackers to craft invalid ECDSA signatures that pass as valid. There is n...

Cross-Site Scripting

Overview All versions of http-file-server are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently availabl...

Path Traversal

Overview Versions of serve-here.js prior to 1.2.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation Upgrade to version 1.2.0 or later. References - HackerOne Report...

SQL Injection

Overview Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 3.35.1 or later. References...

Cross-Site Scripting

Overview Versions of diagram-js-direct-editing prior to 1.4.3 are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.3 or later. References -...

Authentication Bypass

Overview Versions of samlify prior to 2.4.0 are vulnerable to Authentication Bypass. The package fails to prevent XML Signature Wrapping, allowing tokens to be reused with different usernames. A remote attacker can modify SAML content for a SAML service provider without invalidating the...

Denial of Service

Overview Affected versions of node-sass are vulnerable to Denial of Service DoS. Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::getimporterentry and CustomImporterBridge::postprocessreturnvalue that crash the Node process. This may allow...

Malicious Package

Overview Version 0.2.1 of radicjs contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and evalua...

Prototype Pollution

Overview Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objec...

Malicious Package

Overview Version 0.1.8 of kraken-api contains malicious code as a postinstall script. When installed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation Any computer that has this package installed or running should be considered fully compromised...

Cross-Site Scripting

Overview All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages. Recommendation No fix is...

Malicious Package

Overview Version 2.0.2 of stream-combine has malicious code design to steal credentials and credit card information. The code searches all form elements for passwords, credit card numbers and CVC codes. It then uploads the information to a remote server using HTML links embedded in the page or fo...

Path Traversal

Overview All versions of takeapeek are vulnerable to path traversal exposing files and directories. Recommendation As no fix is currently available for this vulnerability is it is our recommendation to use another static file server. References - HackerOne Report - Node.js Security-wg - GitHub...

Command Injection

Overview Versions of apex-publish-static-files before 2.0.1 are vulnerable to command injection. This is exploitable if user input is passed into the connectString option in the publish method. Recommendation Update to version 2.0.1 or later. References - HackerOne Report - security-wg - GitHub...

Directory Traversal

Overview Affected versions of zwserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...

Downloads Resources over HTTP

Overview Affected versions of broccoli-closure insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code...

Denial of Service

Overview Affected versions of mqtt will cause the node process to crash when receiving specially crafted MQTT packets, making the application vulnerable to a denial of service condition. Recommendation Update to v1.0.0 or later References - Parse.js Line 230 - GitHub Advisory...

DOM-based XSS

Overview Affected versions of gmail-js are vulnerable to cross-site scripting in the tools.parseresponse, helper.get.visibleemailspost, and helper.get.emaildatapost functions, which pass user input directly into the Function constructor. Recommendation Update to version 0.6.5 or later. References...

Authentication Bypass

Overview Affected versions of the console-io package do not configure the underlying websocket library to require authentication, resulting in an authentication bypass vulnerability. As console-io allows terminal access on the server via a web page, an authentication bypass is essentially remote...

Regular Expression Denial of Service

Overview Versions of hawk prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's. Recommendation Update to hawk version 4.1.1 or later. References - Issue 168 - GitHub Advisory...

Improper Authorization

Overview All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. Recommendatio...

Remote Code Execution

Overview Versions of mongodb-query-parser prior to 2.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize queries, allowing attackers to execute arbitrary code in the system. Parsing the following payload executes touch test-file: 'function return...

Symlink reference outside of node_modules

Overview Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of nodemodules. It is possible for packages to create symlinks to files outside of thenodemodules folder through the bin field upon installation. A properly constructed entry in the package.json bin fie...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Cross-Site Scripting

Overview Versions of iobroker.web prior to 2.4.10 are vulnerable to Cross-Site Scripting. The package fails to escape URL parameters that may be reflected in the server response. This can be used by attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to versi...

Prototype Pollution

Overview All versions of unflatten are vulnerable to prototype pollution. The function unflatten does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently...

Sandbox Breakout / Arbitrary Code Execution

Overview All versions of @zhaoyao91/eval-in-vm are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor . This may allow attackers to execute arbitrary code in the system. Evaluating the payloa...

Arbitrary Code Execution

Overview Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a...

Malicious Package

Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...

Malicious Package

Overview All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Recommendation Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise. References...

SQL Injection

Overview Versions of connect-pg-simple are vulnerable to SQL Injection. The PGStore.prototype.quotedTable function allows for the query to be manipulated if the input has double quotes through the schemaName or tableName variables. These variables are passed to the constructor and are unlikely to...

Sensitive Data Exposure

Overview Versions of parse-server prior to 3.6.0 are vulnerable to Sensitive Data Exposure. The package throws the error ParseError.ACCOUNTALREADYLINKED208 before the authentication controller throws ParseError.SESSIONMISSING206. This allows unauthenticated attackers to enumerate user account by...

Cross-Site Scripting

Overview Versions of console-feed prior to 2.8.10 are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape the rendered output. If an application uses console-feed and a malicious JavaScript payload was passed to a console.log'%', payload call, the package would render HTM...

Malicious Package

Overview All versions of luna-mock contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on tha...

Arbitrary Code Execution

Overview Versions of require-node prior to 1.3.4 for 1.x and 2.0.4 for 2.x are vulnerable to Arbitrary Code Execution. The package fails to sanitize requests to the require-node endpoint, allowing attackers to execute arbitrary code in the server through the injection of OS commands in the reques...

Path Traversal

Overview All versions of buttle are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available...

Reverse Tabnapping

Overview Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks. Recommendation Upgrade to version 3.18.0 or later...