CWE-506
Embedded Malicious Code
Description
The product contains code that appears to be malicious in nature.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-442 · CAPEC-448 · CAPEC-636
CVEs mapped to this weakness (82)
page 4 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16053 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16052 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |
| CVE-2017-16051 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16050 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16049 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16048 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16046 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |
| CVE-2017-16045 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16044 | Hig | 0.49 | 7.5 | 0.01 | Jun 4, 2018 | `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16062 | — | Hig | 0.49 | 7.5 | 0.01 | May 29, 2018 | node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |
| CVE-2017-16061 | — | Hig | 0.49 | 7.5 | 0.01 | May 29, 2018 | tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |
| CVE-2017-16047 | Hig | 0.49 | 7.5 | 0.01 | May 29, 2018 | mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||
| CVE-2017-16207 | — | Hig | 0.48 | 7.3 | 0.01 | Jun 7, 2018 | discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin. | |
| CVE-2024-10938 | Med | 0.42 | 6.5 | 0.00 | Feb 27, 2026 | The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may… | ||
| CVE-2025-8217 | Med | 0.26 | 4.0 | 0.00 | Jul 30, 2025 | The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which… | ||
| CVE-2025-30066 | 0.12 | — | 0.41 | KEV | Mar 15, 2025 | tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious… | ||
| CVE-2026-33634 | 0.07 | — | 0.60 | KEV | Mar 23, 2026 | Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in… | ||
| CVE-2025-54313 | — | 0.05 | — | 0.04 | KEV | Jul 19, 2025 | eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. | |
| CVE-2025-30154 | — | 0.05 | — | 0.02 | KEV | Mar 19, 2025 | reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use… | |
| CVE-2026-31976 | 0.00 | — | 0.01 | Mar 11, 2026 | xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and… |
- risk 0.49cvss 7.5epss 0.01
`fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
`d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.49cvss 7.5epss 0.01
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
- risk 0.48cvss 7.3epss 0.01
discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin.
- risk 0.42cvss 6.5epss 0.00
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may…
- risk 0.26cvss 4.0epss 0.00
The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which…
- risk 0.12cvss —epss 0.41
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious…
- risk 0.07cvss —epss 0.60
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in…
- risk 0.05cvss —epss 0.04
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
- risk 0.05cvss —epss 0.02
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use…
- CVE-2026-31976Mar 11, 2026risk 0.00cvss —epss 0.01
xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and…