Monthly
Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.
Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories.
xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the un...
Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities.
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. [CVSS 6.5 MEDIUM]
TensorFlow v2.18.0 was discovered to output random results when compiling Embedding, leading to unexpected behavior in the application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Malicious code was inserted into the Nx (build system) package and several related plugins. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
color-name is a JSON with CSS color names. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
is-arrayish checks if an object can be used like an Array. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
error-ex allows error subclassing and stack customization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.
Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories.
xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the un...
Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities.
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. [CVSS 6.5 MEDIUM]
TensorFlow v2.18.0 was discovered to output random results when compiling Embedding, leading to unexpected behavior in the application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Malicious code was inserted into the Nx (build system) package and several related plugins. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
color-name is a JSON with CSS color names. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
is-arrayish checks if an object can be used like an Array. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
error-ex allows error subclassing and stack customization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.