Cette vulnerabilite est-elle reelle, exploitee ou juste du bruit ?
Collez un paquet, CVE ou preoccupation de securite. Nous le prouvons, l'expliquons et montrons la solution.
Accepte : noms de paquets, paquet@version, IDs CVE, IDs CWE, URLs npm/PyPI
Alertes de Sécurité en Direct
Voir tout →Suspicious install-time execution: 2+ suspicious signals during install
Payload delivery from suspicious source: IOC URL + execution capability
2 versions flagged · Latest 0.2.146
Install hook + shell exec + network ALL APPEARED in this version — hijack shape (these caps were not present in prior versions). New typosquats also fire because every cap on a first publish is 'new' by definition.
Suspicious install-time execution: 2+ suspicious signals during install
Payload delivery from suspicious source: IOC URL + execution capability
Vulnerabilites Notables
Updated 19m agon8n Vulnerable to Remote Code Execution via Expression Injection
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
Langflow has Remote Code Execution in CSV Agent
Principales Faiblesses Détectées
Voir tout →Exposure of Sensitive Information to an Unauthorized Actor
Improper Input Validation
Use of Hard-coded Credentials
Improper Control of Generation of Code ('Code Injection')
Execution with Unnecessary Privileges
Permissive Cross-domain Policy with Untrusted Domains
Uncontrolled Resource Consumption
Authorization Bypass Through User-Controlled Key
Statut de Securite du Paquet
Scannez depuis votre terminal
Exécutez Shoulder localement pour analyser les paquets avant de les installer, ou scannez tout votre projet pour détecter les vulnérabilités.
npx @shoulderdev/cli check <package>
npx @shoulderdev/cli trust .