Security researchers discovered a significant vulnerability in the Model Context Protocol (MCP) server that was exploited in the wild. The reports described this as the first-ever instance of an MCP server being exploited in the wild, which can lead to software supply chain risks. The flaw exists in the npm package postmark-mcp, an MCP server … Continue reading “Malicious MCP Server on npm postmark-mcp Exploited in Attack”
Tag: NPM Package
Multiple npm Packages affected by the Ongoing Supply Chain Attack (Shai-Hulud Malware)
This is a supply chain attack that has impacted 198 unique npm packages spanning multiple maintainers. The malware campaign (part of the “Shai-Hulud” attack) has compromised npm packages in a worm-like manner. The malware affects various packages from different maintainers. Some are public; others belong to popular vendors like CrowdStrike. Altogether, these packages have more … Continue reading “Multiple npm Packages affected by the Ongoing Supply Chain Attack (Shai-Hulud Malware)”
vm2 NPM Package Remote Code Execution Vulnerability (CVE-2022-36067) (Sandbreak)
Security researchers from Oxeye have discovered a critical remote code execution flaw in vm2, a JavaScript sandbox library. Tracked as CVE-2022-36067, the flaw has been given a CVSS score of 10. On successful exploitation, this flaw could allow attackers to escape the vm2 sandbox environment and run shell commands on the machine hosting the sandbox. … Continue reading “vm2 NPM Package Remote Code Execution Vulnerability (CVE-2022-36067) (Sandbreak)”
Node-IPC NPM Package Embedded Malicious Code Vulnerability (CVE-2022-23812)
Users of the popular Vue.js frontend JavaScript framework experienced a supply chain attack on the npm ecosystem recently. The nested dependencies Node-IPC and peacenotwar were sabotaged as a protest by the maintainer of the Node-IPC package. Regardless of the peace-not-war slogan, node-ipc is now being identified as a malicious package, including malicious code that … Continue reading “Node-IPC NPM Package Embedded Malicious Code Vulnerability (CVE-2022-23812)”