1635 matches found
Malicious Package
Overview All versions of momen typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Code Injection
Overview Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the...
Regular Expression Denial of Service
Overview Versions of marked prior to 0.6.2 and later than 0.3.14 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. Recommendation Upgrade to version 0.6.2...
Prototype Pollution
Overview All versions of upmerge are vulnerable to Prototype Pollution. The merge function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with othe...
Path Traversal
Overview Versions of servey prior to 3.x are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to the latest version References - HackerOne Report - GitHub Advisory...
SQL Injection
Overview Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 0.1.15 References - HackerOne Report - GitHub Advisory...
Insecure Default Configuration
Overview Versions of tesseract.js prior to 1.0.19 default to using a third-party proxy. Requests may be proxied through crossorigin.me which clearly states is not suitable for production use. This may lead to instability and privacy violations. Recommendation Upgrade to version 1.0.19 or later...
Malicious Package
Overview All versions of portionfatty12 are considered malicious. The package is malware designed to steal user's data. When installed it uploads the user's public SSH keys to a remote server. Recommendation This package is not available on the npm Registry anymore. If you happen to find this...
Cross-Site Scripting
Overview Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A"" is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding. Recommendation Upgrade to version 8.2.3 or later References ...
Code Injection
Overview Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack. Recommendation Update to version 1.9.1 or later. References - HackerOne Report - Node.js security-wg - GitHub Advisory...
Malicious Package
Overview Version 0.4.8 of s3asy contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.4.8 of this module is found installed you...
Malicious Package
Overview Version 8.4.3 of rc-calendar-jhorst contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 8.4.3 of this module is found...
Malicious Package
Overview Version 0.0.4 of blingjs contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 0.0.4 of this module is found installed you...
Malicious Package
Overview Version 1.0.2 of awesomereactutility contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...
Cross-Site Scripting
Overview Affected versions of emojione are vulnerable to cross-site scripting when user input is passed into the toShort, shortnameToImage, unicodeToImage, and toImage functions. Recommendation Update to version 1.3.1 or later. References - Issue 61 - GitHub Advisory...
Prototype Pollution
Overview Versions of json-logic-js prior to 2.0.0 are vulnerable to Prototype Pollution. The method operation allows a malicious user to modify the prototype of Object through the method property name. This causes modification of any existing property that will exist on all objects and leads to...
Denial of Service
Overview All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an...
Cross-Site Scripting
Overview All versions of markdown-it-katex are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser by triggering an error. Recommendation No fix is currently available. Conside...
Command Injection
Overview All versions of npm-git-publish are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an execSync call, which may allow attackers to execute arbitrary code in the system. The publish function is vulnerable through the gitRemoteUrl variable...
Command Injection
Overview All versions of gitting are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an exec call, which may allow attackers to execute arbitrary code in the system. The pull function is vulnerable through the branch variable. Recommendation No fix i...
Command Injection
Overview All versions of node-df are vulnerable to Command Injection. The package fails to sanitize filenames passed to the file option. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. Recommendation No fix is currently available. Consider using an...
Malicious 󠅮󠅰󠅭Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious 󠅮󠅰󠅭Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious 󠅮󠅰󠅭Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious 󠅮󠅰󠅭Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious 󠅮󠅰󠅭Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Sandbox Breakout / Prototype Pollution
Overview Versions of notevil prior to 1.3.3 are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload tryab;catchee.constructor.constructor'return...
Prototype Pollution
Overview All versions of safe-object2 are vulnerable to prototype pollution. The settter function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently...
Prototype Pollution
Overview All versions of getsetdeep are vulnerable to prototype pollution. The setDeep function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently...
Arbitrary Code Execution
Overview Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previo...
Malicious Package
Overview All versions of sj-tw-abc contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Cross-Site Scripting
Overview All versions of hexo-admin are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize rendered markdown, allowing attackers to execute arbitrary JavaScript in a victim's browser if they are able to create new posts. Recommendation No fix is currently available. Consider...
Malicious Package
Overview Version 2.0.2 of yoeman-generator contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and...
Malicious Package
Overview Version 1.0.0 of require-port contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens ...
Configuration Override
Overview Versions of helmet-csp before to 2.9.1 are vulnerable to a Configuration Override affecting the application's Content Security Policy CSP. The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an...