Trending Vulnerabilities
Real-time threat radar – CVEs ranked by multi-signal trending score
1
Trending CVEs
16
Advisories
0
Critical
1
High
0
KEV
1
POC Available
How trending scores work
Each CVE is scored by accumulating heat signals within 48h of publication. Score decays 20%/day after 3 days.
+5 CISA KEV
+4 EPSS > 0.5
+4 POC < 48h
+3 CISA/CERT-EU advisory
+3 SSVC active exploitation
+2 Multi-vendor patches
+2 User stacks affected
+2 ZDI advisory
+1–3 News mentions
8
Score
MAL
MAL-2026-6328
CRITICAL
The npm package @muaththir/api was found to contain malicious code, classifying it as a supply chain threat targeting any developer or system that installed or executed it. The attack vector is package installation itself - once the package runs on a machine, it is assessed to grant full system-level control to an outside party, meaning credentials, API keys, secrets, and all sensitive data stored on that host must be treated as exfiltrated.
Any computer that installed or ran @muaththir/api should be considered fully compromised regardless of whether the package has since been removed, as the malicious payload may have established persistence beyond the package itself. No specific download count is available from the advisory, but the severity is rated critical given the scope of access the malware can achieve.
Immediate action requires rotating all secrets, API keys, and credentials from a separate, unaffected machine before taking any other remediation steps. The package should be removed and the affected system treated as untrusted; forensic review of network logs and filesystem artifacts is advised to identify any secondary payloads or backdoors that may have been installed. Do not rely solely on package removal as confirmation of full remediation.
News Buzz
Cvss 9plus
Supply Chain
7 news
7
News
8
Score
MAL
MAL-2026-6618
CRITICAL
The npm package @experian-shared/services has been identified as containing malicious code, triggering a critical-severity advisory (MAL-2026-6618) from the GitHub Advisory Database. The package is designed to fully compromise any system on which it is installed or executed, likely through a supply chain attack targeting developers and CI/CD environments that depend on Experian-branded shared service libraries. The nature of the compromise means attackers may have obtained persistent access to affected machines, making simple package removal insufficient to guarantee remediation.
Any system that installed or ran this package should be treated as fully compromised, with the assumption that all secrets, API keys, tokens, cloud credentials, and private keys stored on or accessed from that machine have been exfiltrated. Credential rotation must be performed immediately and from a separate, unaffected machine, covering all services the compromised system had access to, including cloud providers, source control, CI/CD platforms, and secret managers. The package should be removed from all environments, but given the risk of persistent backdoors or secondary payloads, a full reimaging of affected systems is strongly recommended. There are no patched versions of this package; it should be treated as entirely malicious and blocklisted in your dependency management tooling and artifact registries.
News Buzz
Cvss 9plus
Supply Chain
6 news
6
News
7
Score
GHSA
GHSA-vxx9-pq69-m5rh
CRITICAL
The npm package @muaththir/api has been identified as malicious, with all published versions (>= 0) classified as malware under GHSA-vxx9-pq69-m5rh with a critical severity rating. Any system on which this package was installed or executed should be treated as fully compromised, meaning an external threat actor may have gained complete control over the host environment and any credentials, API keys, tokens, or secrets stored on or accessed from that machine. The scope of impact extends to all consumers of this package regardless of version, as no safe release exists. Affected organizations should immediately rotate all secrets and credentials from a separate, uncompromised system before taking any other remediation steps. The package should be removed from all environments, but removal alone cannot be considered sufficient to restore trust in the machine, as persistent backdoors or secondary payloads may remain; a full reimaging of affected systems is the recommended path to confirmed remediation.
News Buzz
Cvss 9plus
7 news
7
News
7
Score
GHSA
GHSA-w4v6-g3wm-w36c
CRITICAL
A critical policy enforcement flaw in the openclaw npm package (versions prior to 2026.4.29) allows a QQBot sender to invoke exported admin commands while bypassing the QQBot-specific DM-only restriction and allowFrom access controls. When the affected feature is enabled and reachable by lower-trust input, an attacker can trigger admin-level behavior from a sender or context that the operator's policy was explicitly configured to block, effectively nullifying access boundary enforcement without requiring authenticated operator credentials. The vulnerability is scoped to the QQBot integration surface; OpenClaw's broader trusted-operator model for authenticated Gateway operators and installed plugins is not directly affected by this specific flaw, though the package has faced concurrent supply chain scrutiny including a February 2026 incident where cline@2.3.0 silently installed openclaw on approximately 4,000 machines before the malicious version was deprecated. Operators should upgrade to openclaw 2026.4.29 immediately, which is the first stable release containing the fix; those unable to patch should disable exported QQBot admin commands or restrict QQBot access entirely until the update can be applied. As additional hardening, operators should audit channel and tool allowlists to ensure they are narrowly scoped, avoid sharing a single Gateway instance between mutually untrusted users, and disable any QQBot admin features not actively required by their deployment.
News Buzz
Cvss 9plus
6 news
6
News
7
Score
GHSA
GHSA-vhf7-5xf6-3fwr
CRITICAL
The npm package @experian-shared/services has been identified as malicious across all published versions (>= 0), meaning any installation carries active malware rather than legitimate functionality. Any system where this package has been installed or executed should be treated as fully compromised, with an outside party potentially in possession of complete control over the affected machine. All credentials, API keys, tokens, and secrets that were accessible on the compromised system must be rotated immediately from a separate, unaffected machine, as the malware may have already exfiltrated them. The package should be removed from all environments, but removal alone cannot be assumed to fully remediate the infection, since the malware may have established persistence mechanisms or dropped additional payloads during installation. There is no safe or patched version of this package; organizations should remove it entirely, audit their dependency trees for any transitive inclusion, and conduct a full incident response review of any pipeline or developer machine that ran it.
News Buzz
Cvss 9plus
6 news
6
News
7
Score
GHSA
GHSA-4rmm-f927-v58w
CRITICAL
The npm package @webda-infra/search has been identified as a malicious package containing malware across all published versions (>= 0), representing a supply chain attack targeting JavaScript developers who install it directly or as a transitive dependency. Any system that has executed this package must be treated as fully compromised, meaning an attacker may have gained complete control of the host environment, including access to environment variables, credential stores, SSH keys, API tokens, and any secrets accessible to the Node.js process. The news articles provided do not contain reporting specific to this package, so precise publication dates, download counts, or payload details are not available from the supplied sources.
Organizations should immediately remove @webda-infra/search from all environments, but removal alone cannot be considered sufficient remediation given that arbitrary code may have already executed and persisted additional malicious software. All secrets, API keys, cloud credentials, and tokens present on affected machines should be rotated immediately from a clean, unaffected system, and affected hosts should be reimaged rather than patched in place. There is no safe version of this package - the entire package should be blocklisted in your dependency allow-lists and artifact registries, and any CI/CD pipeline or developer machine that ran a build pulling this dependency should be treated as a compromised node in your environment.
News Buzz
Cvss 9plus
5 news
5
News
7
Score
MAL
MAL-2026-6599
CRITICAL
Malicious code in @alerts/components (npm)
News Buzz
Cvss 9plus
Supply Chain
4 news
4
News
7
Score
MAL
MAL-2026-6612
CRITICAL
Malicious code in @ddh-libs/analytics (npm)
News Buzz
Cvss 9plus
Supply Chain
4 news
4
News
7
Score
MAL
MAL-2026-6633
CRITICAL
Malicious code in @ms-ows/logging (npm)
News Buzz
Cvss 9plus
Supply Chain
3 news
3
News
7
Score
MAL
MAL-2026-6741
CRITICAL
Malicious code in @node-cloud/create (npm)
News Buzz
Cvss 9plus
Supply Chain
3 news
3
News
7
Score
MAL
MAL-2026-6607
CRITICAL
Malicious code in @content-editor/common (npm)
News Buzz
Cvss 9plus
Supply Chain
3 news
3
News
6
Score
GHSA
4
News
6
Score
GHSA
4
News
6
Score
GHSA
3
News
6
Score
GHSA
3
News
6
Score
GHSA
3
News