bitcoin-lib-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

pretix is a Reinventing presales, one ticket at a time

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the email template rendering logic. An attacker can cause arbitrary HTML content to be injected into outgoing emails by supplying specially crafted input in the attendee name field. This can be abused to manipulate the appearance of emails, making malicious content appear credible and potentially facilitating phishing attacks.

Affected versions of this package are vulnerable to SQL Injection via the processing of delete column statistics requests through the HMS Thrift APIs. An attacker can execute arbitrary SQL commands by sending specially crafted requests to the affected API endpoints. This is only exploitable if the attacker is a trusted or authorized user/application with direct access to the Thrift APIs, and if the metastore.try.direct.sql property is set to true.