Common Weakness Enumeration

CWE-506

Allowed-with-Review

Embedded Malicious Code

Abstraction: Class · Status: Incomplete

The product contains code that appears to be malicious in nature.

525 vulnerabilities reference this CWE, most recent first.

GHSA-9298-M7JF-55H2

Vulnerability from github – Published: 2020-09-04 16:42 – Updated: 2021-10-01 20:43
VLAI
Summary
Malicious Package in bitconid-rpc
Details

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "bitconid-rpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:56:44Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
  "id": "GHSA-9298-m7jf-55h2",
  "modified": "2021-10-01T20:43:38Z",
  "published": "2020-09-04T16:42:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1369"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in bitconid-rpc"
}

GHSA-92PX-Q4W8-HRR5

Vulnerability from github – Published: 2020-09-01 19:56 – Updated: 2021-09-24 18:30
VLAI
Summary
Malicious Package in impala
Details

Version 1.1.7 of impala contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=

Recommendation

If version 1.1.7 of this module is found installed you will want to replace it with a version before or after 1.1.7. In addition to replacing the installed module, you will also want to evaluate your application to determine whether or not user data was compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "impala"
      },
      "versions": [
        "1.1.7"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:30:28Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 1.1.7 of `impala` contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to `https://js-metrics.com/minjs.php?pl=`\n\n\n\n## Recommendation\n\nIf version 1.1.7 of this module is found installed you will want to replace it with a version before or after 1.1.7. In addition to replacing the installed module, you will also want to evaluate your application to determine whether or not user data was compromised.",
  "id": "GHSA-92px-q4w8-hrr5",
  "modified": "2021-09-24T18:30:53Z",
  "published": "2020-09-01T19:56:52Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://github.com/shenfw1987/impala"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-IMPALA-450989"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/628"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in impala"
}

GHSA-955R-262C-33JC

Vulnerability from github – Published: 2026-03-30 19:15 – Updated: 2026-03-30 19:15
VLAI
Summary
Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2
Details

Summary

On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the telnyx Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline.

Exposure Window

Version Published (UTC) Quarantined (UTC) Exposure
4.87.1 (broken) 2026-03-27 03:51 2026-03-27 10:13 6h 22m
4.87.2 (functional) 2026-03-27 04:07 2026-03-27 10:13 6h 6m

Both versions were quarantined by PyPI at 2026-03-27 10:13 UTC.

Note: Version 4.87.1 contained a typo that prevented the malware from executing. Only 4.87.2 was fully functional.

Who Is Affected

You may be affected if: - You installed or upgraded the telnyx Python package between 03:51 UTC and 10:13 UTC on March 27, 2026 - You ran pip install telnyx without pinning a version and received 4.87.1 or 4.87.2 - A dependency in your project pulled in telnyx as a transitive, unpinned dependency

You are NOT affected if: - You pinned to version 4.87.0 or earlier - You installed before March 27, 2026 and did not upgrade - You built from GitHub source (malicious code was never committed to the repository)

Attack Details

Root Cause

The attacker obtained the PyPI API token and uploaded malicious packages directly to PyPI, bypassing the GitHub release pipeline entirely. No malicious commits exist in the GitHub repository.

Malicious Behavior

The malware is injected into telnyx/_client.py (74 additional lines) and executes on import telnyx:

Linux/macOS: 1. Spawns detached subprocess to survive parent exit 2. Downloads payload hidden inside WAV audio file (steganography) from C2 3. Harvests credentials: SSH keys, AWS/GCP/Azure creds, Kubernetes tokens, Docker configs, .env files, database credentials, crypto wallets 4. If Kubernetes access found, deploys privileged pods to all nodes for lateral movement 5. Encrypts with AES-256-CBC + RSA-4096, exfiltrates to C2

Windows: 1. Downloads binary hidden inside WAV file from C2 2. Drops as msbuild.exe in Startup folder for persistence 3. Executes with hidden window

Version Differences

Version Status Notes
4.87.1 Broken Typo: Setup() instead of setup() caused NameError
4.87.2 Functional Attacker uploaded 16 minutes later to fix their own casing error; full attack chain operational

Verified Safe Version

Version File SHA-256
4.87.0 telnyx-4.87.0-py3-none-any.whl 5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2
4.87.0 telnyx-4.87.0.tar.gz 3f093a85c313c2b779594f99fc07f453f1a7fd8785878d963688c531ff94d03a

Recommended Actions

1. Check If You Are Affected

# Check installed version
pip show telnyx | grep Version

# Check pip cache for telnyx versions
pip cache list telnyx 2>/dev/null

# Check when telnyx was installed (modification time)
ls -la $(python -c "import site; print(site.getsitepackages()[0])")/telnyx* 2>/dev/null

2. Remove Compromised Versions

pip uninstall telnyx

3. Rotate All Potentially Exposed Secrets

If there is any possibility that version 4.87.1 or 4.87.2 was installed in your environment, treat all accessible secrets as compromised:

  • SSH keys
  • AWS/GCP/Azure credentials
  • Kubernetes tokens and service accounts
  • Docker registry credentials
  • Database passwords
  • API keys in .env files
  • Telnyx API keys

4. Check for Persistence (Linux/macOS)

# Check for malicious systemd service
systemctl --user status audiomon 2>/dev/null
ls -la ~/.config/audiomon/ 2>/dev/null

# Check state file
ls -la /tmp/.initd_state 2>/dev/null

5. Check for Persistence (Windows)

# Check Startup folder
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe"

6. Pin to Safe Version

pip install telnyx==4.87.0

Or in requirements.txt:

telnyx==4.87.0

Indicators of Compromise

Malicious Package Hashes

File SHA-256
telnyx-4.87.1-py3-none-any.whl 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9
telnyx-4.87.2-py3-none-any.whl cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3

Network

IoC Type
83.142.209.203 C2 IP address
http://83.142.209.203:8080/ringtone.wav Payload endpoint (Linux/macOS)
http://83.142.209.203:8080/hangup.wav Payload endpoint (Windows)
http://83.142.209.203:8080/raw Persistence polling endpoint

Filesystem

Path Platform Purpose
~/.config/audiomon/audiomon.py Linux/macOS Persistence implant
~/.config/systemd/user/audiomon.service Linux Persistence service
/tmp/.initd_state Linux/macOS State tracking
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe Windows Persistence binary
msbuild.exe.lock Windows 12-hour cooldown lock

Exfiltration

  • Archive name: tpcp.tar.gz
  • HTTP header: X-Filename: tpcp.tar.gz
  • Encryption: AES-256-CBC + RSA-4096 OAEP

Attribution

This attack is attributed to TeamPCP with high confidence based on:

  • Identical RSA-4096 public key as the LiteLLM compromise (March 24, 2026)
  • tpcp.tar.gz archive naming convention (TeamPCP signature)
  • Identical AES-256-CBC + RSA OAEP encryption scheme
  • Same credential harvesting targets and techniques

RSA Key Hash: - PEM SHA-256: 4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a

Resources

  • https://github.com/team-telnyx/telnyx-python/issues/235
  • https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm
  • https://ramimac.me/teampcp
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "telnyx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.87.1"
            },
            {
              "last_affected": "4.87.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T19:15:30Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nOn March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the `telnyx` Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline.\n\n## Exposure Window\n\n| Version | Published (UTC) | Quarantined (UTC) | Exposure |\n|---------|-----------------|-------------------|----------|\n| 4.87.1 (broken) | 2026-03-27 03:51 | 2026-03-27 10:13 | 6h 22m |\n| 4.87.2 (functional) | 2026-03-27 04:07 | 2026-03-27 10:13 | 6h 6m |\n\n\n**Both versions were quarantined by PyPI at 2026-03-27 10:13 UTC.**\n\n**Note:** Version 4.87.1 contained a typo that prevented the malware from executing. Only 4.87.2 was fully functional.\n\n## Who Is Affected\n\nYou may be affected if:\n- You installed or upgraded the `telnyx` Python package between 03:51 UTC and 10:13 UTC on March 27, 2026\n- You ran `pip install telnyx` without pinning a version and received 4.87.1 or 4.87.2\n- A dependency in your project pulled in `telnyx` as a transitive, unpinned dependency\n\nYou are NOT affected if:\n- You pinned to version 4.87.0 or earlier\n- You installed before March 27, 2026 and did not upgrade\n- You built from GitHub source (malicious code was never committed to the repository)\n\n## Attack Details\n\n### Root Cause\n\nThe attacker obtained the PyPI API token and uploaded malicious packages directly to PyPI, bypassing the GitHub release pipeline entirely. No malicious commits exist in the GitHub repository.\n\n### Malicious Behavior\n\nThe malware is injected into `telnyx/_client.py` (74 additional lines) and executes on `import telnyx`:\n\n**Linux/macOS:**\n1. Spawns detached subprocess to survive parent exit\n2. Downloads payload hidden inside WAV audio file (steganography) from C2\n3. Harvests credentials: SSH keys, AWS/GCP/Azure creds, Kubernetes tokens, Docker configs, .env files, database credentials, crypto wallets\n4. If Kubernetes access found, deploys privileged pods to all nodes for lateral movement\n5. Encrypts with AES-256-CBC + RSA-4096, exfiltrates to C2\n\n**Windows:**\n1. Downloads binary hidden inside WAV file from C2\n2. Drops as `msbuild.exe` in Startup folder for persistence\n3. Executes with hidden window\n\n### Version Differences\n\n| Version | Status | Notes |\n|---------|--------|-------|\n| 4.87.1 | Broken | Typo: `Setup()` instead of `setup()` caused NameError |\n| 4.87.2 | Functional | Attacker uploaded 16 minutes later to fix their own casing error; full attack chain operational |\n\n## Verified Safe Version\n\n| Version | File | SHA-256 |\n|---------|------|--------|\n| **4.87.0** | `telnyx-4.87.0-py3-none-any.whl` | `5aeb8172c29ade224e6c2d166713f304596aa21e3dbfa5b6b2b028e6997f6bd2` |\n| **4.87.0** | `telnyx-4.87.0.tar.gz` | `3f093a85c313c2b779594f99fc07f453f1a7fd8785878d963688c531ff94d03a` |\n\n## Recommended Actions\n\n### 1. Check If You Are Affected\n\n```bash\n# Check installed version\npip show telnyx | grep Version\n\n# Check pip cache for telnyx versions\npip cache list telnyx 2\u003e/dev/null\n\n# Check when telnyx was installed (modification time)\nls -la $(python -c \"import site; print(site.getsitepackages()[0])\")/telnyx* 2\u003e/dev/null\n```\n\n### 2. Remove Compromised Versions\n\n```bash\npip uninstall telnyx\n```\n\n### 3. Rotate All Potentially Exposed Secrets\n\nIf there is any possibility that version 4.87.1 or 4.87.2 was installed in your environment, treat all accessible secrets as compromised:\n\n- SSH keys\n- AWS/GCP/Azure credentials\n- Kubernetes tokens and service accounts\n- Docker registry credentials\n- Database passwords\n- API keys in .env files\n- Telnyx API keys\n\n### 4. Check for Persistence (Linux/macOS)\n\n```bash\n# Check for malicious systemd service\nsystemctl --user status audiomon 2\u003e/dev/null\nls -la ~/.config/audiomon/ 2\u003e/dev/null\n\n# Check state file\nls -la /tmp/.initd_state 2\u003e/dev/null\n```\n\n### 5. Check for Persistence (Windows)\n\n```powershell\n# Check Startup folder\nGet-ChildItem \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msbuild.exe\"\n```\n\n### 6. Pin to Safe Version\n\n\n```bash\npip install telnyx==4.87.0\n```\n\nOr in requirements.txt:\n```\ntelnyx==4.87.0\n```\n\n## Indicators of Compromise\n\n### Malicious Package Hashes\n\n| File | SHA-256 |\n|------|--------|\n| `telnyx-4.87.1-py3-none-any.whl` | `7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9` |\n| `telnyx-4.87.2-py3-none-any.whl` | `cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3` |\n\n### Network\n\n| IoC | Type |\n|-----|------|\n| `83.142.209.203` | C2 IP address |\n| `http://83.142.209.203:8080/ringtone.wav` | Payload endpoint (Linux/macOS) |\n| `http://83.142.209.203:8080/hangup.wav` | Payload endpoint (Windows) |\n| `http://83.142.209.203:8080/raw` | Persistence polling endpoint |\n\n### Filesystem\n\n| Path | Platform | Purpose |\n|------|----------|--------|\n| `~/.config/audiomon/audiomon.py` | Linux/macOS | Persistence implant |\n| `~/.config/systemd/user/audiomon.service` | Linux | Persistence service |\n| `/tmp/.initd_state` | Linux/macOS | State tracking |\n| `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msbuild.exe` | Windows | Persistence binary |\n| `msbuild.exe.lock` | Windows | 12-hour cooldown lock |\n\n### Exfiltration\n\n- Archive name: `tpcp.tar.gz`\n- HTTP header: `X-Filename: tpcp.tar.gz`\n- Encryption: AES-256-CBC + RSA-4096 OAEP\n\n## Attribution\n\nThis attack is attributed to **TeamPCP** with high confidence based on:\n\n- Identical RSA-4096 public key as the LiteLLM compromise (March 24, 2026)\n- `tpcp.tar.gz` archive naming convention (TeamPCP signature)\n- Identical AES-256-CBC + RSA OAEP encryption scheme\n- Same credential harvesting targets and techniques\n\nRSA Key Hash:\n- PEM SHA-256: `4eceb569b4330565b93058465beab0e6d5ea09cfba8e7f29d7be1b5a2abd958a`\n\n## Resources\n\n- https://github.com/team-telnyx/telnyx-python/issues/235\n- https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm\n- https://ramimac.me/teampcp",
  "id": "GHSA-955r-262c-33jc",
  "modified": "2026-03-30T19:15:30Z",
  "published": "2026-03-30T19:15:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/team-telnyx/telnyx-python/issues/235"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/team-telnyx/telnyx-python"
    },
    {
      "type": "WEB",
      "url": "https://ramimac.me/teampcp"
    },
    {
      "type": "WEB",
      "url": "https://www.endorlabs.com/learn/teampcp-strikes-again-telnyx-compromised-three-days-after-litellm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2"
}

GHSA-95CG-3R4G-7W6J

Vulnerability from github – Published: 2020-09-03 23:01 – Updated: 2021-09-30 17:10
VLAI
Summary
Malicious Package in js-rha3
Details

Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-rha3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:53:42Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
  "id": "GHSA-95cg-3r4g-7w6j",
  "modified": "2021-09-30T17:10:32Z",
  "published": "2020-09-03T23:01:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in js-rha3"
}

GHSA-97M3-W2CP-4XX6

Vulnerability from github – Published: 2022-03-16 23:54 – Updated: 2022-03-25 19:58
VLAI
Summary
Embedded Malicious Code in node-ipc
Details

The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address. The maintainer removed the malicious code in version 10.1.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-ipc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.1"
            },
            {
              "fixed": "10.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-16T23:54:32Z",
    "nvd_published_at": "2022-03-16T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address. The maintainer removed the malicious code in version 10.1.3.",
  "id": "GHSA-97m3-w2cp-4xx6",
  "modified": "2022-03-25T19:58:47Z",
  "published": "2022-03-16T23:54:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23812"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RIAEvangelist/node-ipc/issues/233"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RIAEvangelist/node-ipc/issues/236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RIAEvangelist/node-ipc/commit/847047cf7f81ab08352038b2204f0e7633449580"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RIAEvangelist/node-ipc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220407-0005"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-NODEIPC-2426370"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Embedded Malicious Code in node-ipc"
}

GHSA-97MP-9G5C-6C93

Vulnerability from github – Published: 2020-09-04 16:50 – Updated: 2021-10-01 20:49
VLAI
Summary
Malicious Package in bs58chcek
Details

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "bs58chcek"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:56:58Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
  "id": "GHSA-97mp-9g5c-6c93",
  "modified": "2021-10-01T20:49:31Z",
  "published": "2020-09-04T16:50:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in bs58chcek"
}

GHSA-98X5-VQ43-VC5P

Vulnerability from github – Published: 2026-06-26 20:51 – Updated: 2026-06-26 20:51
VLAI
Summary
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
Details

Impact

semantic-router versions 0.1.8 through 0.1.14 declare litellm>=1.61.3 with no upper bound. During the window in which litellm==1.82.8 was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.

The malicious litellm==1.82.8 wheel ships a litellm_init.pth file that executes on Python interpreter startup — no import required. It collects and exfiltrates: - Process environment variables - AWS / GCP / Azure credentials - SSH keys, Kubernetes configs, shell history - Database credentials and CI/CD secrets - Cryptocurrency wallets

Stage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to https://models.litellm.cloud/.

See upstream: BerriAI/litellm#24512 and CVE-2026-42208.

Patches

Fixed in semantic-router 0.1.15, which raises the floor to litellm>=1.83.7.

Workarounds

If developers cannot upgrade immediately: - Pin litellm>=1.83.7,!=1.82.8 explicitly in their own project. - Audit site-packages/ for litellm_init.pth and delete if present. - Rotate any credentials reachable from environments where an affected install ran.

Credit

Upstream report and triage by the litellm maintainers — see issue #24512.

One caveat before publishing

CVE-2026-42208 specifically names 1.82.8. Pip's resolver picks "latest matching", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI — not everyone who ever installed 0.1.8–0.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "semantic-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.8"
            },
            {
              "fixed": "0.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:51:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Impact\nsemantic-router versions 0.1.8 through 0.1.14 declare `litellm\u003e=1.61.3` with no upper bound. During the window in which `litellm==1.82.8` was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel.\n\nThe malicious `litellm==1.82.8` wheel ships a `litellm_init.pth` file that executes on Python interpreter startup \u2014 no import required. It collects and exfiltrates:\n- Process environment variables\n- AWS / GCP / Azure credentials\n- SSH keys, Kubernetes configs, shell history\n- Database credentials and CI/CD secrets\n- Cryptocurrency wallets\n\nStage-two payload encrypts the collected data (AES-256 + embedded RSA pubkey) and POSTs it to `https://models.litellm.cloud/`.\n\nSee upstream: [BerriAI/litellm#24512](https://github.com/BerriAI/litellm/issues/24512) and [CVE-2026-42208](https://www.cve.org/CVERecord?id=CVE-2026-42208).\n\n## Patches\nFixed in **semantic-router 0.1.15**, which raises the floor to `litellm\u003e=1.83.7`.\n\n## Workarounds\nIf developers cannot upgrade immediately:\n- Pin `litellm\u003e=1.83.7,!=1.82.8` explicitly in their own project.\n- Audit `site-packages/` for `litellm_init.pth` and delete if present.\n- Rotate any credentials reachable from environments where an affected install ran.\n\n## Credit\nUpstream report and triage by the litellm maintainers \u2014 see issue [#24512](https://github.com/BerriAI/litellm/issues/24512).\n\nOne caveat before publishing\n\nCVE-2026-42208 specifically names 1.82.8. Pip\u0027s resolver picks \"latest matching\", so the real affected blast radius for semantic-router is users who ran pip install during the window that 1.82.8 was on PyPI \u2014 not everyone who ever installed 0.1.8\u20130.1.14. The advisory is still correct (an affected install could have pulled the bad wheel), but consider whether a Severity: Critical / Exploitability: time-bounded note would help downstream readers understand the exposure model.",
  "id": "GHSA-98x5-vq43-vc5p",
  "modified": "2026-06-26T20:51:20Z",
  "published": "2026-06-26T20:51:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aurelio-labs/semantic-router/security/advisories/GHSA-98x5-vq43-vc5p"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aurelio-labs/semantic-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin"
}

GHSA-99J7-FHR2-XFJ4

Vulnerability from github – Published: 2026-07-10 19:32 – Updated: 2026-07-10 19:32
VLAI
Summary
`exploration` was removed from crates.io for malicious code
Details

A method within the exploration crate attempted to download and execute a payload from a remote site.

The malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io.

Rustsec to Kirill Boychenko from the Socket Threat Research Team for reporting this crate.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "exploration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T19:32:24Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "A method within the `exploration` crate attempted to download and execute a payload from a remote site.\n\nThe malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io.\n\nRustsec to Kirill Boychenko from the [Socket Threat Research Team](https://socket.dev/) for reporting this crate.",
  "id": "GHSA-99j7-fhr2-xfj4",
  "modified": "2026-07-10T19:32:24Z",
  "published": "2026-07-10T19:32:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0155.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "`exploration` was removed from crates.io for malicious code"
}

GHSA-9CPH-CQQH-36PW

Vulnerability from github – Published: 2020-09-04 15:29 – Updated: 2021-10-01 20:17
VLAI
Summary
Malicious Package in babel-loqder
Details

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "babel-loqder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:55:59Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
  "id": "GHSA-9cph-cqqh-36pw",
  "modified": "2021-10-01T20:17:59Z",
  "published": "2020-09-04T15:29:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1350"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in babel-loqder"
}

GHSA-9FG5-F5PJ-RWCC

Vulnerability from github – Published: 2018-11-09 17:43 – Updated: 2023-09-11 21:49
VLAI
Summary
gruntcli is malware
Details

The gruntcli package is a piece of malware that steals environment variables and sends them to attacker controlled locations.

All versions have been unpublished from the npm registry.

Recommendation

As this package is malware, if you find it installed in your environment, the real security concern is determining how it got there.

If you have found this installed in your environment, you should: 1. Delete the package 2. Clear your npm cache 3. Ensure it is not present in any other package.json files on your system 4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.

Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "gruntcli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:28:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The `gruntcli` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\n\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.",
  "id": "GHSA-9fg5-f5pj-rwcc",
  "modified": "2023-09-11T21:49:09Z",
  "published": "2018-11-09T17:43:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16058"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-9fg5-f5pj-rwcc"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/498"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "gruntcli is malware"
}

Mitigation
Implementation Operation

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

CAPEC-442: Infected Software

An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.

CAPEC-448: Embed Virus into DLL

An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.

CAPEC-636: Hiding Malicious Data or Code within Files

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.