这个漏洞是真实的、被利用的还是噪音?
粘贴一个软件包、CVE或安全关注点。我们会证明、解释并展示修复方法。
接受:软件包名称、软件包@版本、CVE ID、CWE ID、npm/PyPI URL
实时安全警报
查看全部 →Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
Burst publisher with new account
A dist-tag (e.g. latest) was moved to this version while it was less than 1 hour old — publish-side compromise indicator
Burst publisher with new account
Payload delivery from suspicious source: IOC URL + execution capability
值得关注的漏洞
Updated 5m agon8n Vulnerable to Remote Code Execution via Expression Injection
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
Langflow has Remote Code Execution in CSV Agent
检测到的主要弱点
查看全部 →Exposure of Sensitive Information to an Unauthorized Actor
Improper Input Validation
Use of Hard-coded Credentials
Improper Control of Generation of Code ('Code Injection')
Execution with Unnecessary Privileges
Permissive Cross-domain Policy with Untrusted Domains
Uncontrolled Resource Consumption
Authorization Bypass Through User-Controlled Key
软件包安全状态
从终端扫描
在本地运行Shoulder分析软件包后再安装,或扫描整个项目查找漏洞。
npx @shoulderdev/cli check <package>
npx @shoulderdev/cli trust .