Advisories

xmlquery lacks a check for whether a LoadURL response is in the XML format, which allows attackers to cause a denial of service (SIGSEGV) at xmlquery.(*Node).InnerText or possibly have unspecified other impact.

A content spoofing vulnerability was found in the openshift/console This flaw allows an attacker to craft a URL and inject arbitrary text onto the error page that appears to be from the OpenShift instance. This attack could potentially convince a user that the inserted text is legitimate.

This advisory has been marked as False Positive as it impacts blueocean-git-pipeline.

The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS).

A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

Jenkins Locked Files Report Plugin does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Validating String Parameter Plugin does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

Jenkins Custom Job Icon Plugin does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Radiator View Plugin does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

Jenkins computer-queue-plugin Plugin does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Jenkins Coverage/Complexity Scatter Plot Plugin does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

Jenkins Description Column Plugin does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

Apache Atlas contain a XSS vulnerability. While saving search or rendering elements values are not sanitized correctly and because of that it triggers the XSS vulnerability.

Jenkins ClearCase Release Plugin does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins chosen-views-tabbar Plugin does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.

Jenkins ElasTest Plugin stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

A buffer overflow vulnerability in LibRaw LibRaw::GetNormalizedModel in src/metadata/normalize_model.cpp may lead to context-dependent arbitrary code execution.

A vulnerability was found in Keycloak where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

In Apache Syncope, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.

In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The message field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.

When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS …

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Yii 2 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input.

A buffer overflow exists in the Brotli library where an attacker controlling the input length of a one-shot decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.

ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

An issue was discovered in LemonLDAP::NG when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI.

Impact Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view. Patches Fixed Workarounds Do not share Renovate logs with …

Versions of atompm are vulnerable to Unauthorized File Access. The package fails to sanitize relative paths in the URL for file downloads, allowing attackers to download arbitrary files from the system. Upgrade to or later.

All versions of untitled-model re vulnerable to SQL Injection. Query parameters are not properly sanitized allowing attackers to inject SQL statements and execute arbitrary SQL queries. No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of resquel are vulnerable to SQL Injection. Query parameters are not properly sanitized, allowing attackers to inject SQL statements and execute arbitrary SQL queries No fix is currently available. Consider using an alternative package until a fix is made available.

Relative Path Traversal in serve.

All versions of mergify are vulnerable to Prototype Pollution. The mergify() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative module as the package is deprecated.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1180.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1172.

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.

All versions of commqnder contain malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.

All versions of commmander contain malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.

All versions of equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

All versions of requst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

of angluar-cli contains malicious code as a postinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed the package attempts to remove files and stop processes related to McAfee antivirus on macOS. Remove the package from your environment and verify whether files were deleted and if processes were stopped.

of blubird contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.

All versions of reuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …

of epress contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.

All versions of test-module-a contain malicious code as a preinstall script. The package fetches all names of npm packages owned by the user and attempts to add another maintainer to every package as a means of package hijacking, ## Recommendation Remove the package from your system. If you own any packages that were compromised please contact npm security immediately at security@npmjs.com. Also enable 2FA for publishing to further secure packages …

All versions of electron-native-notify contain malicious code. The package was part of a targeted attack to steal cryptocurrency wallet seeds and upload them to a remote server, effectively giving attackers access to users wallets. ## Recommendation Remove the package from your environment and follow the recommendations by Komodo

All versions of shrugging-logging contain malicious code as a postinstall script. The package fetches all names of npm packages owned by the user and attempts to add another maintainer to every package as a means of package hijacking, ## Recommendation Remove the package from your system. If you own any packages that were compromised please contact npm security immediately at security@npmjs.com. Also enable 2FA for publishing to further secure packages …

A spoofing vulnerability manifests in Microsoft Xamarin.Forms due to the default settings on Android WebView, aka 'Xamarin.Forms Spoofing Vulnerability'.

Versions of bigint-money are vulnerable to an Incorrect Calculation. The package incorrectly rounded certain numbers, which could have drastic consequences due to its usage in financial systems.

A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (–check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.

When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1172, CVE-2020-1180.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in grunt-radical.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wxchangba.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-location-update.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soletta-dev-app.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ng-ui-library.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in grunt-radic.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-datepicker-plus.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wizard-syncronizer.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in precode.js.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in motiv.scss.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in entitlements.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in github-jquery-widgets.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in scroool.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in geoheat.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ember-power-timepicker.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in radic-util.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in node-red.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in serve.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in serve.

Cross-site scripting (XSS) vulnerability in Dojo Toolkit before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

Affected versions of node-sass are vulnerable to Denial of Service (DoS). Crafted objects passed to the renderSync function may trigger C++ assertions in CustomImporterBridge::get_importer_entry and CustomImporterBridge::post_process_return_value that crash the Node process. This may allow attackers to crash the system's running Node process and lead to Denial of Service. Recommendation Upgrade to version 4.13.1 or later

Versions of diagram-js-direct-editing are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser. Upgrade to or later.

Versions of diagram-js (f ) (f ) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript. If you are using diagram-js, upgrade to If you are using diagram-js, upgrade to

In Action View there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not …

Bitcoin Core and Bitcoin Knots allow remote denial of service via a flood of multiple transaction inv messages with random hashes, aka INVDoS. NOTE: this can also affect other cryptocurrencies, e.g., if they were forked from Bitcoin Core .

In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only workaround is to give SCRIPT right only to trusted users.

apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the jmxrmi entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when a user …

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

node-fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't …

Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …

Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …

Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …

The Python TUF reference implementation tuf<0.12 will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a man-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. While investigating the reported vulnerability, we discovered that the detailed client …

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite.

Back in min June a security vulnerability was reported to the team, the reason for the slow response was due to ownership of some packages was locked and we wanted to be sure to update all packages before any disclosure was released. The issue is deemed being a Low severity vulnerability. Impact This vulnerability impacts users who rely on the for last digits of personnummer to be a real personnummer. …

Versions of bin-links are vulnerable to a Symlink reference outside of node_modules. It is possible to create symlinks to files outside of thenode_modules folder through the bin field. This may allow attackers to access unauthorized files.

All versions of html-pdf-chrome is vulnerable to Server-Side Request Forgery (SSRF). The package executes HTTP requests if the parsed HTML contains external references to resources, such as <iframe src="http://localhost" height="800px" width="800px"></iframe>. This allows attackers to access resources through HTTP that are accessible to the server, including private resources in the hosting environment. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of ftp-srv is vulnerable to Server-Side Request Forgery (SSRF). The package fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to access any network resources available to the server, including private resources in the hosting environment. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of notevil are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload try{a[b];}catch(e){e.constructor.constructor('return proto.arguments.callee.proto.polluted=true')()} add the polluted property to Function.

Versions of papaparse are vulnerable to Regular Expression Denial of Service (ReDos). The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service. Upgrade to or later.

All versions of markdown are vulnerable to Regular Expression Denial of Service (ReDoS). The markdown.toHTML() function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of unflatten are vulnerable to prototype pollution. The function unflatten does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of sahmat are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of safe-object2 are vulnerable to prototype pollution. The settter() function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of reggae are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow a malicious to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of klona prior to 1.1.1 are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype when cloning objects, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation Upgrade to version 1.1.1 or later.

All versions of getsetdeep are vulnerable to prototype pollution. The setDeep() function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of get-setter are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of flat-wrap are vulnerable to prototype pollution. The function unflatten does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. No fix is currently available. Consider using an alternative package until a fix is made available.

All versions of deep-setter are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of vue-moment contain an Outdated Static Dependency. The package depends on moment and has it loaded statically instead of as a dependency that can be updated. It has moment@2.19.1 that contains a Regular Expression Denial of Service vulnerability.

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit f06b3e.

GNOME project libxml2 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of 1337qq-js contain malicious code. The package exfiltrates sensitive information through install scripts. It targets UNIX systems. The information exfiltrated includes: Environment variables Running processes /etc/hosts uname -a npmrc file Remove the package from your system and rotate any compromised credentials.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of sj-labc contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

All versions of cxct contain malicious code. The package finds and exfiltrates cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of parsel use an insecure key derivation function. The package runs keys of arbitrary lengths through one round of SHA256 hashing for key stretching. This allows for the use of keys of insufficient entropy with inappropriate key stretching. The package is deprecated and will not be updated. Consider using an alternative package.

All versions of parsel use an insecure cryptography algorithm. The package uses aes-256-cbc without integrity checks, which renders the ciphertext vulnerable to bit-flipping attacks. The package is deprecated and will not be updated. Consider using an alternative package.

Versions of type-graphql are vulnerable to Information Exposure. The package leaks the resolver source code in an error message. It is possible to force this error when no subscription topics are provided in the request. Upgrade to or later.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pitboss-ng.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in lighter-vm.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @hapi/hoek.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sandbox.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in veval.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in kerberos.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in traceroute.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in gnuplot.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in malicious-npm-package.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in plotter.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in giting.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @zhaoyao91/eval-in-vm.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in localeval.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in meta-git.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in mongodb-query-parser.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm-git-publish.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in next.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nextcloud-vue-collections.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @hapi/boom.

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in markdown-it-katex.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in atlasboard-atlassian-package.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react.

All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf. ## Recommendation No fix is currently available. Consider using an alternative package …

All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. The package is deprecated and will not be updated. Consider using an alternative package.

Versions of bin-links are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This behavior is still allowed in local installations.

Bundler uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.

Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function. For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception: curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')" Recommendation …

Versions of @commercial/ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …

All versions of treekill are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation Upgrade to version 1.2.2 or later.

Versions of strapi before 3.0.0-beta.17.8 are vulnerable to Command Injection. The package fails to sanitize plugin names in the /admin/plugins/install/ route. This may allow an authenticated attacker with admin privileges to run arbitrary commands in the server. Recommendation Upgrade to version 3.0.0-beta.17.8 or later

The package bestzip is vulnerable to Command Injection via the options param.

GNOME project libxml2 has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

libxml2 has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

All versions of express-laravel-passport are vulnerable to an Authentication Bypass. The package fails to properly validate JWTs, allowing attackers to send HTTP requests impersonating other users. Upgrade to or later.

Versions of bin-links are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended node_modules folder through the bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to overwrite files that already exist. ## Recommendation

All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running. No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of zencashjs may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses …

Versions of node-git-server are vulnerable to Unauthorized File Access. It is possible to access any git repository by using absolute paths, which may allow attackers to access private repositories. Upgrade to or later.

Versions of sails-mysql are vulnerable to SQL Injection. The sort keyword is not properly sanitized and may allow attackers to inject SQL statements and execute arbitrary SQL queries

The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems.

All versions of put are vulnerable to Uninitialized Memory Exposure. The package incorrectly calculates the allocated Buffer size and does not trim the bytes written, which may allow attackers to access uninitialized memory containing sensitive data. This vulnerability only affects versions of Node.js Upgrade your Node.js version or consider using an alternative package.

Versions of ibm_db prior to 2.6.0 are vulnerable to Sensitive Data Exposure. The package printed database credentials in plaintext in logs while in debug mode. Recommendation Upgrade to version 2.6.0 or later and ensure sensitive information was not logged.

Versions of showdown are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.

Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks. Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.

Relative Path Traversal in swagger-injector.

Relative Path Traversal in file-static-server.

Relative Path Traversal in sapper.

Relative Path Traversal in restify-swagger-jsdoc.

Relative Path Traversal in ponse.

Relative Path Traversal in public.

Relative Path Traversal in f-serv.

Relative Path Traversal in zero.

Relative Path Traversal in bruteser.

Relative Path Traversal in @wturyn/swagger-injector.

All versions of sql-injection are vulnerable to Regular Expression Denial of Service. The package processes a request's body with regular expressions that may take exponentially longer to execute for large inputs. No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of simple-markdown prior to 0.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). The SimpleMarkdown.defaultInlineParse() function has significantly degraded performance when parsing inline code blocks. Recommendation Upgrade to version 0.5.2 or later.

Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input. Recommendation Upgrade to version 0.7.0 or later.

All versions of subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed. ## Recommendation This package …

Affected versions of mithrilare vulnerable to prototype pollution. The function parseQueryString may allow a malicious user to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. A payload such as proto%5BtoString%5D=123 in the query string would change the toString() function to 123. If you are using mithril, upgrade to or later. If you are using mithril, upgrade to or …

Versions of lodash.mergewith are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.mergewith are vulnerable to Prototype Pollution. The function 'mergeWith' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.merge are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.merge are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.defaultsdeep are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of lodash.defaultsdeep are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Update to or later.

Versions of @hapi/subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Versions of @commercial/subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of anarchy contain malicious code. The package ran rm - rf / as an install script. Remove the package from your environment.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of superhappyfuntime contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

All versions of maybemaliciouspackage contain malicious code. The package prints the system's SSH keys to the console as a postinstall script. ## Recommendation Remove the package from your environment. There are no further signs of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

of load-from-cwd-or-npm contains malicious code. The malware breaks functionality of the purescript-installer package by injecting targeted code. ## Recommendation There is no indication of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of cage-js contains malicious code. The malware downloads and runs a script from a remote server as a postinstall script. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of comander contains malicious code . The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. Upon require the package attempts to start a cryptocurrency miner using coin-hive. Remove the package from your environment and verify whether your system is running the cryptocurrency miner.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of sj-tw-test-security contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

All versions of sdfjghlkfjdshlkjdhsfg contain malicious code. The package is essentially a worm that fetches all packages owned by the user, adds a script to self-replicate as a preinstall script and publishes a new version. ## Recommendation Remove the package from your environment and ensure all packages owned were not impacted.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of discord.js-user contain malicious code. The package uploads the user's Discord token to a remote server. Remove the package from your environment. Ensure any compromised tokens are invalidated.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of nodes.js contain malicious code. The package searches and installs globally thousands of packages based on keywords node, react, react-native, vue, angular and babel to fill the system's memory. Remove the package from your environment and validate what packages are installed.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of malicious-do-not-install contain malicious code. The package copies the contents of /etc/passwd and /etc/shadow to files in the local /tmp/ folder. Remove the package from your environment and rotate affected credentials.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of owl-orchard-apple-sunshine contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of only-test-not-install contain malicious code. The package deletes the folder ~/test from the system as a postinstall script. ## Recommendation Remove the package from your environment. There are no further signs of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

of 8.9.4 contain malicious code as a preinstall script. The package reads the system's SSH keys but does not upload it to a remote server. Remove the package from your environment. There is no evidence of further compromise at the moment.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of maleficent contain malicious code. The package is a demonstration of possible risks when installing npm packages. It gathers system information such as: environment variables, OS information, network interface, AWS credentials, npm credentials and ssh keys. The package prints the information to a local file but does not upload it to a remote server. Remove the package from your environment. There is no further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of sj-tw-sec contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of my-very-own-package contain malicious code. The package sends the output of process.versions, process.arch and process.platform to a remote server in a postinstall script. Remove the package from your environment. There are no further signs of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of sj-tw-abc contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of arsenic-tabasco-cyborg-peanut-butter contain malicious code. The package downloads and runs a script that opens a reverse shell in the system. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of deasyncp contain malicious code. The package shuts down the machine upon installation as a preinstall script. Remove the package from your environment. There is no further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

of rate-map contains malicious code. The malware breaks functionality of the purescript-installer package by rewriting code of the dl-tar dependency. ## Recommendation There is no indication of further compromise.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

of pizza-pasta contains malicious code as a install scripts. The package created folders in the system's Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console. Remove the package from your environment. There are no evidences of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of fast-requests contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

of harmlesspackage contains malicious code as a postinstall script. The package printed a message to the console and performed a GET request to a remote server. Remove the package from your environment. There is no evidence of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

All versions of evil-package contain malicious code. The package uploads the contents of process.env to example.com/log. Remove the package from your environment. Given the host where the information was uploaded to there is no further indication of compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Remove the package from your environment. There are no indications of further compromise.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user. Remove the package from your environment. Ensure no Ethereum funds were compromised.

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

of leetlog contain malicious code. The package adds an arbitrary hardcoded SSH key identified as hacker@evilmachine to the system's authorized_keys ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an …

Affected versions of airtable are vulnerable to Machine-In-The-Middle. The package has SSL certificate validation disabled by default unintentionally. This may allow attackers in a privileged network position to decrypt intercepted traffic.

All versions of domokeeper are vulnerable to Local File Inclusion. The /plugin/ route passes a GET parameter unsanitized to a require() call. It then returns the output of require() in the server response. This may allow attackers to load unintended code in the application. It also allows attackers to exfiltrate information in .json files. No fix is currently available. Consider using an alternative package until a fix is made available.

The package grunt is vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.`

Versions of simple-crypto-js use AES-CBC with PKCS#7 padding, which is vulnerable to padding oracle attacks. This may allow attackers to break the encryption and access sensitive data.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in local-devices.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in secure_identity_login_module.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bmap.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cal_rd.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sailclothjs.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in qingting.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-node.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in priest-runner.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in mx-nested-menu.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in notevil.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uploader-plugin.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pullit.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cicada-render.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @fangrong/xoc.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in zemen.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tiar.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-wifi.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safer-eval.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in iie-viz.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in libubx.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in json-serializer.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in diamond-clien.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ember_cli_babe.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rpc-websocket.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hsf-clients.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in alipayjsapi.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-pica.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in alico.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-buc.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in smartsearchwp.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ali-contributors.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in marsdb.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safe-eval.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in device-mqtt.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-context-menu.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pyramid-proportion.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-port.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in leaflet-gpx.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in river-mock.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ngx-md.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uglyfi.js.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in luna-mock.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in log-symboles.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jquery-airload.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-rules.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in appx-compiler.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pm-controls.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jekyll-for-github-projects.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in slush-fullstack-framework.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in antd-cloud.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in midway-xtpl.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in m-backdoor.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yeoman-genrator.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ali-contributor.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in retcodelog.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in midway-dataproxy.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in radicjs.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hpmm.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pensi-scheduler.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bb-builder.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vue-backbone.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in hexo-admin.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @toast-ui/editor.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in htmr.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dmn-js-properties-panel.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in snekserve.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in graylog-web-interface.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in takeapeek.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @ionic/core.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cmmn-js-properties-panel.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bleach.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bpmn-js-properties-panel.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dompurify.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bootstrap-select.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @berslucas/liljs.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in console-feed.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jquery.json-viewer.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in eco.

Improper Neutralization in @hapi/accept.

Improper Neutralization in subtext.

Improper Neutralization in @commercial/subtext.

Improper Neutralization in subtext.

Improper Neutralization in @hapi/subtext.

Improper Neutralization in @hapi/subtext.

Improper Neutralization in @commercial/subtext.

All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. No fix is currently available. Consider using an alternative module until a fix is made available.

Affected versions of @sap-cloud-sdk/core do not properly validate JWTs. The verifyJwt() function does not properly validate the URL from where the public verification key for the JWT can be downloaded. Any URL was trusted which makes it possible to provide a URL belonging to a manipulated JWT. Upgrade to or later.

All versions of marky-markdown are vulnerable to HTML Injection. The package fails to sanitize style attributes in img tags of the markdown input. This may allow attackers to affect the size of images in the rendered HTML. ## Recommendation This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

All versions of marky-markdown are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is youtube.com but it is possible to bypass the validation with sources where youtube.com is the sub-domain, such as youtube.com.evil.co. This This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service (DoS). The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces the exception and crashes the Node process. The following proof-of-concept crashes the Node process: const Sequelize = require('sequelize'); const sequelize …

Versions of mongodb are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Upgrade to or later.

Versions of http-live-simulator prior to 1.0.8 are vulnerable to Denial of Service. The package fails to catch an exception that causes the Node process to crash, effectively shutting down the server. This allows an attacker to send an HTTP request that crashes the server. Recommendation Upgrade to version 1.0.8 or later.

All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services. Recommendation This package is deprecated and is now maintained as @hapi/hapi. Please update your dependencies to use @hapi/hapi.

Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. Recommendation Upgrade to version 4.4.5 or later.

Versions of grpc-ts-health-check are vulnerable to Denial of Service. The package exposes an API endpoint that may allow attackers to set the service's health status to failing. This can lead to Denial of Service as Kubernetes blocks traffic to services with a failing status. Upgrade to or later.

Versions of express-fileupload prior to 1.1.6-alpha.6 is vulnerable to Denial of Service. The package causes server responses to be delayed (up to 30s in internal testing) if the request contains a large filename of . characters.

Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory. Recommendation Upgrade to version 2.97.1 or later.

All versions of ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an …

Versions of @hapi/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Versions of @hapi/ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker …

Affected versions of @commercial/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

All versions of mavon-editor are vulnerable to Cross-Site Scripting. The package fails to sanitize entered input, allowing attackers to execute arbitrary JavaScript in a victim's browser. No fix is currently available. Consider using an alternative package until a fix is made available.

Versions of markdown-to-jsx are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization the package may render output containing malicious JavaScript. This vulnerability can be exploited through input of links containing data or VBScript URIs and a base64-encoded payload. Upgrade to or later.

Versions of lazysizes prior to 5.2.1-rc1 are vulnerable to Cross-Site Scripting. The video-embed plugin fails to sanitize the following attributes: data-vimeo, data-vimeoparams, data-youtube and data-ytparams. This allows attackers to execute arbitrary JavaScript in a victim's browser if the attacker has control over the vulnerable attributes. Recommendation Upgrade to version 5.2.1-rc1 or later.