1635 matches found
Malicious Package
Overview Version 1.0.1 of jquerz contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens a...
Malicious Package
Overview Version 3.3.1 of jqeury contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opened a...
Malicious Package
Overview All versions of hulp contain malicious code as a preinstall script. When installed, the package calls home to a Command and Control server to execute arbitrary commands. Recommendation Any computer that has this package installed or running should be considered fully compromised. All...
Malicious Package
Overview All versions of froever contain malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opened a...
Malicious Package
Overview Version 1.5.3 of colour-string contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secret...
Malicious Package
Overview Version 9.0.0 of colro-name contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets a...
Malicious Package
Overview Version 16.3.3 of browserift contained malicious code as a preinstall script. The package was a backdoor that opened a connection to a remote server and executed incoming commands on both Unix and Windows machines Recommendation Any computer that has this package installed or running...
Malicious Package
Overview Version 1.8.4 of bowee contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and ke...
Malicious Package
Overview All versions of whiteproject contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environment...
Malicious Package
Overview Version 1.8.4 of bowee contained malicious code as a preinstall script. The package downloaded a file from a remote server, executed it and opened a backdoor. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and ke...
Malicious Package
Overview All versions of saync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of reqest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Cross-Site Scripting
Overview Versions of ag-grid-community prior to 14.0.0 are vulnerable to Cross-Site Scripting XSS. Grid contents are not properly sanitized and may allow attackers to execute arbitrary JavaScript if user input is rendered in the grid. Recommendation Upgrade to version 14.0.0 or later References -...
Prototype Pollution
Overview All versions of lutils-merge are vulnerable to Prototype Pollution. The merge function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with...
Cross-Site Scripting
Overview Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting XSS. The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. Recommendation For bootstrap 4.x...
Malicious Package
Overview The package destroyer-of-worlds contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX...
Path Traversal
Overview Versions of algo-httpserv prior to 1.1.2 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. Recommendation Upgrade to version 1.1.2 or later. References GitHub Advisory...
Sandbox Breakout / Arbitrary Code Execution
Overview All versions of value-censorship are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to validate async function constructors allowing attackers to execute arbitrary code. Recommendation No fix is currently available. Consider using an alternative package...
Malicious Package
Overview The package donotinstallthis contained malicious code. The package contained a script that was run as part of the install script. The script contacted a remote service tracking how many installations were done. There is no further compromise. Recommendation Remove the package from your...
Arbitrary File Overwrite
Overview Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The...
Cross-Site Scripting
Overview Versions of fomantic-ui are vulnerable to Cross-Site Scripting. Lack of output encoding on the selection dropdowns can lead to user input being executed instead of printed as text. Recommendation Upgrade to version 2.7.0 or later. References - GitHub Release - GitHub Advisory...
Cross-Site Scripting
Overview Versions of simditor prior to 2.3.22 are vulnerable to Cross-Site Scripting. The package does not sanitize user input that is rendered with innerHTML, allowing attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 2.3.22 or later. References - Snyk Report - GitHub...
Cross-Site Scripting
Overview All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest XHR to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing...
Cross-Site Scripting
Overview All version of bootbox are vulnerable to Cross-Site Scripting. The package does not sanitize user input in the provided dialog boxes, allowing attackers to inject HTML code and execute arbitrary JavaScript. Recommendation Sanitize user input being passed to bootbox or consider using an...
Denial of Service
Overview Versions of axios prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the maxContentLength property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service. Recommendation Upgrade to 0.18.1 or later...
Cross-Site Scripting
Overview Versions of google-closure-library prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The safedomtreeprocessor.processToString function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting...
Insecure Credential Storage
Overview All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a...
Cross-Site Scripting
Overview All versions of wangeditor are vulnerable to Cross-Site Scripting. The package fails to properly encode output, allowing arbitrary JavaScript to be inserted in links and executed by browsers. Recommendation No fix is currently available. Consider using an alternative module until a fix i...
Malicious Package
Overview All versions of carloprojectdiscord contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your...
Malicious Package
Overview All versions of discorddebuglog contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environment...
Malicious Package
Overview All versions of carloprojectlesang contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environmen...
Malicious Package
Overview All versions of erquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requset typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requets typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of reuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requet typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of reques typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of rrequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of reequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of reqquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requeest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requesst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of requestt typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of calk typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of chak typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...
Malicious Package
Overview All versions of eact typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...