1635 matches found
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.1.0 of log-symboles contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens ...
Denial of Service
Overview Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and...
Path Traversal
Overview All versions of @wturyn/swagger-injector are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the configured dist folder using relative paths. Recommendation No fix is currently available. Consider using an alternative...
Path Traversal
Overview All versions of swagger-injector are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the configured dist folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package...
Regular Expression Denial of Service
Overview All versions of sql-injection are vulnerable to Regular Expression Denial of Service. The package processes a request's body with regular expressions that may take exponentially longer to execute for large inputs. Recommendation No fix is currently available. Consider using an alternativ...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview Version 1.0.2 of uploader-plugin contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's...
Path Traversal
Overview All versions of f-serv are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files by using relative paths when fetching files. Recommendation No fix is currently available. Consider using an alternative package until a fix is made...
Malicious Package
Overview All versions of cage-js contains malicious code. The malware downloads and runs a script from a remote server as a postinstall script. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that comput...
Prototype Pollution
Overview Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all objects...
Malicious Package
Overview All versions of secureidentityloginmodule contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and ke...
Malicious Package
Overview All versions of midway-dataproxy contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored...
Malicious Package
Overview All versions of appx-compiler contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on...
Malicious Package
Overview All versions of antd-cloud contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on th...
Malicious Package
Overview All versions of malicious-do-not-install contain malicious code. The package copies the contents of /etc/passwd and /etc/shadow to files in the local /tmp/ folder. Recommendation Remove the package from your environment and rotate affected credentials. References GitHub Advisory...
Path Traversal
Overview Versions of restify-swagger-jsdoc prior to 3.2.1 are vulnerable to Path Traversal. The package fails to properly sanitize URLs, which may allow attackers to access server files outside the swagger-ui folder by using relative paths. Recommendation Upgrade to version 3.2.1 or later...
Cross-Site Scripting
Overview Versions of jquery.json-viewer prior to 1.3.0 are vulnerable to Cross-Site Scripting XSS. The package insufficiently sanitizes user input when creating links, and concatenates the user input in an tag. This allows attackers to create malicious links with JSON payloads such as: "foo":...
Open Redirect
Overview Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later. References - Snyk Report - GitHub Commit -...
Cross-Site Scripting
Overview All versions of graylog-web-interface are vulnerable to Cross-Site Scripting XSS. The package fails to escape output on the TypeAhead and QueryInput components, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation No fix is currently available...
Path Traversal
Overview Versions of zero prior to 1.0.6 are vulnerable to Path Traversal. Due to insufficient input sanitization in URLs, attackers can access server files by using relative paths when fetching files. Recommendation Upgrade to version 1.0.6 or later. References GitHub Advisory...
Command Injection
Overview Versions of local-devices prior to 3.0.0 are vulnerable to Command Injection. The package does not validate input on ip addresses and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. Recommendation Upgrade to version 3.0.0 or later. References ...
Cross-Site Scripting
Overview Versions of @berslucas/liljs prior to 1.0.2 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation Upgrade to version 1.0.2 or...
Cross-Site Scripting
Overview Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting XSS. The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having...
Cross-Site Scripting
Overview Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 3.20.9 or later. References - GitHub PR - Snyk...
Command Injection
Overview Versions of addax prior to 1.1.0 are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary...
Malicious Package
Overview Version 1.0.987 of ng-ui-library contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment an...
Malicious Package
Overview Version 0.2.12 of jekyll-for-github-projects contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your...
Malicious Package
Overview All versions of test-module-a contain malicious code as a preinstall script. The package fetches all names of npm packages owned by the user and attempts to add another maintainer to every package as a means of package hijacking, Recommendation Remove the package from your system. If you...
Malicious Package
Overview Version 3.4.6 of uglyfi-js contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens a...
Malicious Package
Overview Version 1.8.4 of bowee contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and ke...
Path Traversal
Overview Versions of algo-httpserv prior to 1.1.2 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to version 1.1.2 or later. References GitHub Advisory...
Malicious Package
Overview All versions of erquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of experss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of momen typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Regular Expression Denial of Service
Overview Versions of marked prior to 0.6.2 and later than 0.3.14 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. Recommendation Upgrade to version 0.6.2...
Prototype Pollution
Overview All versions of upmerge are vulnerable to Prototype Pollution. The merge function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with othe...
Unauthorized File Access
Overview Affected versions of harp are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as secret-folder. If the underscore character is URL encoded the server delivers the file. Recommendation Upgrade ...
Path Traversal
Overview All versions of statics-server are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available. References...
Insecure Default Configuration
Overview Versions of tesseract.js prior to 1.0.19 default to using a third-party proxy. Requests may be proxied through crossorigin.me which clearly states is not suitable for production use. This may lead to instability and privacy violations. Recommendation Upgrade to version 1.0.19 or later...
Sandbox Breakout / Arbitrary Code Execution
Overview Versions of safer-eval before 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. Recommendation Upgrade to version 1.3.2. References GitHub Advisory...
Remote Code Execution
Overview Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution. Recommendation Upgrade to version 1.1.0 or later...
Undefined Behavior
Overview All versions of sailsjs-cacheman have a vulnerability that may lead to Undefined Behavior. The config variable is exposing to the global scope which may overwrite other variables and cause the application to misbehave. Recommendation No fix is currently available. Consider using an...