Résumé
In late July/August 2017, a user named 'hacktask' published around 37 typosquatting packages on npm with names mimicking popular libraries, the most notable being 'crossenv' (impersonating cross-env). The package replicated the legitimate functionality but added an install-time snippet that harvested all environment variables, often containing tokens, keys and credentials, and exfiltrated them to npm.hacktask.net. crossenv was tracked as CVE-2017-16074; actual installs were limited (estimated under ~50) and npm removed roughly 40 packages.
Références
Vulnérabilités liées
Tout Supply chain →- HIGHGHSA-JXCW-QP4H-6JFQ
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default
- HIGHGHSA-GCQ3-MFVH-3X25
PraisonAI Code agent tools fail open without a workspace boundary
- CRITICALGHSA-892R-P3JQ-JP24
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
- CRITICALGHSA-X223-P2GF-V735
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
- MEDIUMGHSA-FG94-H982-F3MM
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
- HIGHGHSA-RJXQ-QQHF-8HWH
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin