Snyk Security Database

moustick is a malicious package. This package contains malicious code that fetches and eval() a remote payload from attacker-controlled URL (https://www.jsonkeeper.com/b/MYUKZ) on require() in moustick/index.js. The payload is designed to extract RELAYER_PRIVATE_KEY and JWT_SECRET from the victim's .env file. While this package attempting to impersonate a valid pakage cookie-signature by using the real author name (TJ Holowaychuk) and points to the legitimate visionmedia/node-cookie-signature GitHub repo, there is no connection between that organization and this package authorship. Its content was not removed from the official package manager yet.

modelscope is a ModelScope: bring the notion of Model-as-a-Service to life.

Affected versions of this package are vulnerable to Arbitrary Code Execution from the pipeline interface. There, a user can supply a malicious model that loads arbitrary modules via an acoustic-echo-cancellation task.

org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the getMembers() methods that serve the group members endpoint. An admin user with delegated access to read group memberships and users can read user profile attributes that are explicitly configured to be denied by using their delegated administrative access to expose those values over the group membership API.