Security
Headlines
HeadlinesLatestCVEs

Tag

#js

Node.js Malware Campaign Targets Crypto Users with Fake Binance and TradingView Installers

Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration. The activity, first detected in October 2024, uses lures related to cryptocurrency trading to trick users into installing a rogue installer from fraudulent websites that masquerade as legitimate software like Binance or

The Hacker News
Open in Source
#web#microsoft#nodejs#js#git#The Hacker News
“Follow me” to this fake crypto exchange to claim $500

Follow me for lucky prizes scams are old fake crypto exchange scams in a new jacket and on a different platform

GHSA-fhg8-qxh5-7q3w: NATS Server may fail to authorize certain Jetstream admin APIs

## Advisory The management of JetStream assets happens with messages in the `$JS.` subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. ### Affected versions NATS Server: * Version 2 from v2.2.0 onwards, prior to v2.11.1 or v2.10.27 ----- ## Original Report (Lightly edited to confirm some supposition and in the summary to use past tense) ### Summary nats-server did not include authorization checks on 4 separate admin-level JetStream APIs: account purge, server remove, account stream move, and account stream cancel-move. In all cases, APIs are not properly restricted t...

GHSA-qc59-cxj2-c2w4: aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role

### Summary The [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. In the CDK, developers organize their applications into reusable components called "[constructs](https://docs.aws.amazon.com/cdk/v2/guide/constructs.html)," which are organized into a hierarchical tree structure. One of the features of this framework is the ability to call "[Aspects](https://docs.aws.amazon.com/cdk/v2/guide/aspects.html)," which are mechanisms to set configuration options for all AWS Resources in a particular part of the hierarchy at once. Aspect execution happens in a specific order, and the last Aspect to execute controls the final values in the template. AWS CDK version [2.172.0](https://github.com/aws/aws-cdk/releases/tag/v2.172.0) introduced a new priority system for Aspects. Prior to this version, CDK would run Aspects based on hierarchical lo...

GHSA-66rc-vg9f-48m7: jsonschema2pojo has Improper Restriction of Operations within the Bounds of a Memory Buffer

A vulnerability, which was classified as problematic, has been found in joelittlejohn jsonschema2pojo 1.2.2. This issue affects the function apply of the file org/jsonschema2pojo/rules/SchemaRule.java of the component JSON File Handler. The manipulation leads to stack-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-6q87-84jw-cjhp: @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params

### Summary Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of `event.url.searchParams` inside a server `load` function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. ### Details SvelteKit tracks which parameters in `event.url.searchParams` are read inside server `load` functions. If the application iterates over the these parameters, the `uses.search_params` array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form. `packages/kit/src/runtime/server/utils.js:150` has the `stringify_uses(node)` function which prints these out. ### Reproduction In a `+page.server.js` or `+layout.server.js`: ```js /** @type {import('@sveltejs/kit').Load} */ export function load(event) { const values = {}; for (const key of event.url.searchParams.keys()) { values[key] = event.url.searchParams.get(key); ...

GHSA-p9hh-mh5x-wvx3: Formie has XSS vulnerability for importing forms

### Impact When importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.

GHSA-356w-63v5-8wf4: Vite has an `server.fs.deny` bypass with an invalid `request-target`

### Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. ### Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) - running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) ### Details [HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-target`](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2). Although an attacker can send such a request. For those requests with an invalid `request-line` (it includes `request-target`), the spec [recommends to reject them with 400 or 301](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2-4). The same can be said for HTTP 2 ([ref1](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-2.4.1), [ref2](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-3), [ref3](https...

GHSA-rq86-9m6r-cm3g: SurrealDB has uncaught exception in Net module that leads to database crash

A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the `net` module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the **/sql** endpoint. ### Impact This vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint. Where SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector. ### Patches A patch has been introduced that ensures the error is caught and converted as an error. - Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue ### Workarounds Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries ...

npm Malware Targets Atomic and Exodus Wallets to Hijack Crypto Transfers

ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.