CWE-506
Embedded Malicious Code
Description
The product contains code that appears to be malicious in nature.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-442 · CAPEC-448 · CAPEC-636
CVEs mapped to this weakness (82)
page 2 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-59143 | Hig | 0.57 | — | 0.00 | Sep 15, 2025 | color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added… | ||
| CVE-2025-59142 | Hig | 0.57 | — | 0.00 | Sep 15, 2025 | color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload… | ||
| CVE-2025-59141 | Hig | 0.57 | — | 0.00 | Sep 15, 2025 | simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting… | ||
| CVE-2025-59140 | Hig | 0.57 | — | 0.00 | Sep 15, 2025 | backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to… | ||
| CVE-2025-10894 | Cri | 0.55 | 9.6 | 0.01 | Sep 24, 2025 | Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them… | ||
| CVE-2018-25117 | Cri | 0.53 | — | 0.00 | Oct 15, 2025 | VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a… | ||
| CVE-2025-32965 | Cri | 0.53 | — | 0.01 | Apr 22, 2025 | xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. Version 2.14.2 is also malicious, though… | ||
| CVE-2026-46421 | cri | 0.52 | — | 0.00 | May 20, 2026 | ## Impact On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all… | ||
| CVE-2025-59038 | — | Hig | 0.49 | — | 0.00 | Sep 9, 2025 | Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet.… | |
| CVE-2025-59037 | Hig | 0.49 | — | 0.00 | Sep 9, 2025 | DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included… | ||
| CVE-2017-16205 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | |
| CVE-2017-16204 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | |
| CVE-2017-16203 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | The coffe-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | |
| CVE-2017-16202 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | The cofeescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | |
| CVE-2017-16081 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16080 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |
| CVE-2017-16079 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16078 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |
| CVE-2017-16077 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |
| CVE-2017-16076 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2018 | proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. |
- risk 0.57cvss —epss 0.00
color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added…
- risk 0.57cvss —epss 0.00
color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload…
- risk 0.57cvss —epss 0.00
simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting…
- risk 0.57cvss —epss 0.00
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to…
- risk 0.55cvss 9.6epss 0.01
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them…
- risk 0.53cvss —epss 0.00
VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a…
- risk 0.53cvss —epss 0.01
xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. Version 2.14.2 is also malicious, though…
- risk 0.52cvss —epss 0.00
## Impact On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all…
- risk 0.49cvss —epss 0.00
Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet.…
- risk 0.49cvss —epss 0.00
DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of DuckDB's packages that included…
- risk 0.49cvss 7.5epss 0.01
The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
- risk 0.49cvss 7.5epss 0.01
The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
- risk 0.49cvss 7.5epss 0.01
The coffe-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
- risk 0.49cvss 7.5epss 0.01
The cofeescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.
- risk 0.49cvss 7.5epss 0.01
cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.