1635 matches found
Malicious ó …®ó …°ó …Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious ó …®ó …°ó …Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious ó …®ó …°ó …Package
Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Prototype Pollution
Overview Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Malicious Package
Overview Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Recommendation Remove the package from your environment. Ensure no Ethereum funds were compromised. References GitHub Advisory...
Denial of Service
Overview All versions of subtext are vulnerable to Denial of Service DoS. The package fails to enforce the maxBytes configuration for payloads with chunked encoding that are written to the file system. This allows attackers to send requests with arbitrary payload sizes, which may exhaust system...
Path Traversal
Overview All versions of public are vulnerable to Path Traversal. This vulnerability allows an attacker to access files outside the webroot since it allows symlink navigation in the URL. Recommendation No fix is currently available. Do not use public in production or consider using an alternative...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Malicious Package
Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...
Authentication Bypass
Overview Versions of otpauth prior to 3.2.8 are vulnerable to Authentication Bypass. The package's totp.validate function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens...
Malicious Package
Overview All versions of fast-requests contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environment...
Cross-Site Scripting
Overview Versions of bpmn-js-properties-panel prior to 0.31.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website. Recommendation Upgrade to version 0.31...
Prototype Pollution
Overview Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Recommendati...
Malicious Package
Overview All versions of node-buc contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...
Malicious Package
Overview All versions of only-test-not-install contain malicious code. The package deletes the folder /test from the system as a postinstall script. Recommendation Remove the package from your environment. There are no further signs of compromise. References GitHub Advisory...
Malicious Package
Overview Versions 0.1.2 and 0.1.3 of leetlog contain malicious code. The package adds an arbitrary hardcoded SSH key identified as hacker@evilmachine to the system's authorizedkeys Recommendation Any computer that has this package installed or running should be considered fully compromised. All...
Sandbox Breakout / Arbitrary Code Execution
Overview Versions of safer-eval prior to 1.3.4 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. For example, evaluating he string console.constructor.constructor'return process'.env prints...
Command Injection
Overview All versions of expressfs are vulnerable to Command Injection. The package does not validate user input on several API endpoints, allowing attackers to run arbitrary commands in the system. The affected endpoints are: expressfs.appendFile, expressfs.cp, expressfs.create and...
Malicious Package
Overview Version 1.0.1 of leaflet-gpx contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...
Malicious Package
Overview All versions of carloprojectdiscord contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your...
Malicious Package
Overview All versions of requst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requesst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of chak typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of asnyc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of asycn typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of asynnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of jajajejejiji typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether...
Unauthorized File Access
Overview Versions of glance prior to 3.0.7 are vulnerable to Unauthorized File Access. The package provides a --nodot option meant to hide files and directories with names that begin with a ., such as .git but fails to hide files inside a folder that begins with .. Recommendation Upgrade to versi...
Path Traversal
Overview All versions of statics-server are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available. References...
Improper Authorization
Overview Versions of googleapis prior to 39.1.0 are vulnerable to Improper Authorization. Setting credentials to one client may apply to all clients which may cause requests to be sent with the incorrect credentials. Recommendation Upgrade to version 39.1.0. References - GitHub...
Remote Code Execution
Overview All versions of pivideorecording are vulnerable to Remote Code Execution. Due to insufficient input validation the server executes arbitrary code through the /api/record/start endpoint. After running the server, curl -POST -H "Content-Type: application/json" -d '"filename": " || touch...
Malicious Package
Overview All versions of commander-js are considered malicious. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads an arbitrary file and executes its contents as a post-install script...
Cross-Site Scripting
Overview Versions of buefy prior to 0.7.2 are vulnerable to Cross-Site Scripting, allowing attackers to manipulate the DOM and execute remote code. The autocomplete list renders user input as HTML without encoding. Recommendation Upgrade to version 0.7.2 or later. References - GitHub Issue - GitH...
Prototype Pollution
Overview All versions of merge-options are vulnerable to Prototype Pollution Recommendation Update to version 1.0.1 or greater. References - HackerOne Report - GitHub Commit - GitHub Advisory...
Cross-Site Scripting
Overview Versions of @hapi/boom prior t 0.3.8 are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 0.3.8 or later. References - Snyk repor...