Unintended Require

Overview Versions of larvitbase-api prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require call. This allows attackers to execute any .js file in the same folder as the server is running. Recommendation...

Malicious Package

Overview Version 1.0.4 of iie-viz contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's also...

Prototype Pollution

Overview Affected versions of mithrilare vulnerable to prototype pollution. The function parseQueryString may allow a malicious user to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. A payload such as...

Cross-Site Scripting

Overview Versions of cmmn-js-properties-panel prior to 0.8.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website. Recommendation Upgrade to version 0.8.0...

Malicious Package

Overview All versions of deasyncp contain malicious code. The package shuts down the machine upon installation as a preinstall script. Recommendation Remove the package from your environment. There is no further compromise. References GitHub Advisory...

Malicious Package

Overview All versions of midway-xtpl contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...

Malicious Package

Overview All versions of ali-contributors contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored...

Malicious Package

Overview All versions of maybemaliciouspackage contain malicious code. The package prints the system's SSH keys to the console as a postinstall script. Recommendation Remove the package from your environment. There are no further signs of compromise. References GitHub Advisory...

Sensitive Data Exposure

Overview All versions of put are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects...

Prototype Pollution

Overview All versions of mergify are vulnerable to Prototype Pollution. The mergify function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using...

Command Injection

Overview All versions of wizard-syncronizer are vulnerable to Command Injection. The package does not validate input on the cloneAndSync function and concatenates it to an exec call. This can be abused through a malicious widget containing the payload in the gitURL value or through a MITM attack...

SQL Injection

Overview All versions of resquel are vulnerable to SQL Injection. Query parameters are not properly sanitized, allowing attackers to inject SQL statements and execute arbitrary SQL queries Recommendation No fix is currently available. Consider using an alternative package until a fix is made...

Unauthorized File Access

Overview Versions of atompm prior to 0.8.2 are vulnerable to Unauthorized File Access. The package fails to sanitize relative paths in the URL for file downloads, allowing attackers to download arbitrary files from the system. Recommendation Upgrade to version 0.8.2 or later. References GitHub...

Cross-Site Scripting

Overview Versions of ids-enterprise prior to 4.18.2 are vulnerable to Cross-Site Scripting XSS. The modal component fails to sanitize input to the title attribute, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 4.18.2 or later References - GitHub Issu...

Malicious Package

Overview Version 1.1.5 of ngx-pica contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

Malicious Package

Overview Version 0.1.30 of mx-nested-menu contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment an...

Malicious Package

Overview Version 1.0.2 of radic-util contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

Malicious Package

Overview Version 0.4.20 of motiv.scss contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

Malicious Package

Overview Version 0.0.14 of grunt-radical contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

Malicious Package

Overview Version 1.3.2 of geoheat contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and evalua...

Malicious Package

Overview Version 1.0.8 of ember-power-timepicker contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your...

Malicious Package

Overview All versions of electron-native-notify contain malicious code. The package was part of a targeted attack to steal cryptocurrency wallet seeds and upload them to a remote server, effectively giving attackers access to users wallets. Recommendation Remove the package from your environment...

Command Injection

Overview Versions of wiki-plugin-datalog prior to 0.1.6 are vulnerable to Command Injection. The package failed to sanitize URLs on the curl endpoint, allowing attackers to inject commands and possibly achieving Remote Code Execution on the system. Recommendation Upgrade to version 0.1.6 or later...

Malicious Package

Overview Version 4.13.2 of epress contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Recommendation Remove the package...

Malicious Package

Overview All versions of commqnder contain malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Recommendation Remove the package...

Malicious Package

Overview All versions of commmander contain malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Recommendation Remove the packag...

Malicious Package

Overview Version 3.5.0 of blubird contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Recommendation Remove the package...

Sensitive Data Exposure

Overview Versions of loopback prior to 3.26.0 3.x and 2.42.0 2.x are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. Recommendation If you'...

Malicious Package

Overview Version 1.0.0 of rimrafall contains malicious code as a preinstall script. The package attempts to remove all files in the system's root folder. Recommendation If you installed this package it is likely your machine was erased. If not, remove the package from your system and verify if an...

Malicious Package

Overview All versions of tensorplow contain malicious code as a preinstall script. When installed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation Any computer that has this package installed or running should be considered fully compromised. A...

Malicious Package

Overview Version 1.0.1 of jquerz contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens a...

Malicious Package

Overview Version 1.8.4 of bowee contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and ke...

Malicious Package

Overview All versions of reqest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Prototype Pollution

Overview All versions of lutils-merge are vulnerable to Prototype Pollution. The merge function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with...

Malicious Package

Overview All versions of equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of requestt typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Command Injection

Overview All versions of cocos-utils are vulnerable to Remote Code Execution. The unzip function concatenates user input to exec which may allow attackers to execute arbitrary commands on the server. Recommendation No fix is currently available. Consider using an alternative module until a fix is...

SQL Injection

Overview Versions of sequelize prior to 5.3.0 excluding v3 and v4 are vulnerable to SQL Injection. PostgreSQL optionstandardconformingstrings is not set to on by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals. Recommendation...

Cross-Site Scripting

Overview All versions of buttle are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files. Recommendation No fix is currently available...

Denial of Service

Overview Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Recommendation Upgrade to version 3.13.0. References GitHub Advisory...

Regular Expression Denial of Service

Overview Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service ReDoS. Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade t...

Denial of Service

Overview All versions of url-relative are vulnerable to Denial of Service. If the values to and from are equal, the function hangs and never returns. This may cause a Denial of Service. Recommendation No fix is currently available. Consider using an alternative module until a fix is made availabl...

Remote Code Execution

Overview All versions of office-converter are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution. Recommendation No fix is currently available. Consider usi...

Prototype Pollution

Overview Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Recommendation For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.1...

Command Injection

Overview Versions of egg-scripts before 2.8.1 are vulnerable to command injection. This is only exploitable if a malicious argument is provided on the command line. Example: eggctl start --daemon --stderr='/tmp/eggctlstderr.log; touch /tmp/malicious' Recommendation Update to version 2.8.1 or late...

Malicious Package

Overview All versions of soket.js are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation...

Malicious Package

Overview All versions of regenrator are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendatio...

Malicious Package

Overview Version 0.3.0 of react-dates-sc contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.3.0 of this module is found...

Malicious Package

Overview Version 2.0.10 of json-serializer contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 2.0.10 of this module is found...

Malicious Package

Overview Version 1.7.5 of coffee-project contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.7.5 of this module is found...