{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/javascript/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["xmldom"],"_cs_severities":["medium"],"_cs_tags":["dos","xmldom","recursion","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003exmldom\u003c/code\u003e library is susceptible to a denial-of-service (DoS) vulnerability due to uncontrolled recursion in XML serialization. Seven recursive traversals within \u003ccode\u003elib/dom.js\u003c/code\u003e lack depth limits, causing a \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e and crashing the application when processing deeply nested XML documents. Publicly disclosed on 2026-04-06, the vulnerability impacts multiple functions, including \u003ccode\u003enormalize()\u003c/code\u003e, \u003ccode\u003eXMLSerializer.serializeToString()\u003c/code\u003e, and others related to DOM manipulation. This issue arises from the library\u0026rsquo;s pure-JavaScript recursive implementation of DOM operations, which exhausts the call stack. Exploitation requires no authentication or special options, affecting applications that process attacker-controlled XML using vulnerable \u003ccode\u003exmldom\u003c/code\u003e versions ( \u0026lt; 0.8.13, \u0026gt;= 0.9.0 and \u0026lt; 0.9.10, and \u0026lt;= 0.6.0).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XML document with deeply nested elements.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application receives and parses the crafted XML document using \u003ccode\u003eDOMParser.parseFromString()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application subsequently calls one of the affected DOM operations, such as \u003ccode\u003enormalize()\u003c/code\u003e, \u003ccode\u003eserializeToString()\u003c/code\u003e, \u003ccode\u003egetElementsByTagName()\u003c/code\u003e, or \u003ccode\u003ecloneNode(true)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe affected function initiates a recursive traversal of the deeply nested XML structure within \u003ccode\u003elib/dom.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEach level of nesting consumes a JavaScript call stack frame.\u003c/li\u003e\n\u003cli\u003eThe recursive calls continue until the JavaScript engine\u0026rsquo;s call stack is exhausted.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e exception is thrown.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to the uncaught exception, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in a denial-of-service condition. Any service parsing attacker-controlled XML with a vulnerable version of \u003ccode\u003exmldom\u003c/code\u003e can be crashed by a single crafted payload. This can lead to failed request processing. In deployments where uncaught exceptions terminate the worker or process, the impact can extend beyond a single request and disrupt service availability more broadly. Tests show that stack exhaustion occurs with nesting depths between 5,000 and 10,000 levels depending on the operation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e to version \u0026gt;= 0.8.13 or \u0026gt;= 0.9.10 to remediate CVE-2026-41673.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider implementing input validation to limit the nesting depth of XML documents processed by applications using \u003ccode\u003exmldom\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e exceptions originating from \u003ccode\u003elib/dom.js\u003c/code\u003e, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-xmldom-dos/","summary":"The xmldom library is vulnerable to a denial-of-service (DoS) attack due to uncontrolled recursion in XML serialization leading to application crashes.","title":"xmldom Uncontrolled Recursion DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-xmldom-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6594"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","javascript","code-injection","cve-2026-6594"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA prototype pollution vulnerability, identified as CVE-2026-6594, affects brikcss merge versions up to 1.3.0. This vulnerability allows a remote attacker to manipulate the \u003cstrong\u003eproto\u003c/strong\u003e/constructor.prototype/prototype argument, leading to the modification of object prototype attributes. The vendor was notified, but did not respond. Successful exploitation can lead to denial of service, code injection, or other unintended behaviors in applications using the affected library. Prototype pollution vulnerabilities are particularly concerning as they can have widespread effects, potentially impacting multiple parts of an application or even other applications sharing the same JavaScript runtime.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable endpoint in an application using brikcss merge \u0026lt;= 1.3.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing a \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor.prototype\u003c/code\u003e, or \u003ccode\u003eprototype\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is sent to the vulnerable endpoint, often as part of a JSON object within a POST request.\u003c/li\u003e\n\u003cli\u003eThe brikcss merge function processes the payload without proper sanitization or input validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e__proto__\u003c/code\u003e property is used to modify the prototype of JavaScript objects.\u003c/li\u003e\n\u003cli\u003eThe prototype modification injects malicious properties or methods into all objects inheriting from the modified prototype.\u003c/li\u003e\n\u003cli\u003eThe application executes code that relies on the now-polluted prototype.\u003c/li\u003e\n\u003cli\u003eThis leads to unexpected behavior, such as arbitrary code execution, denial-of-service, or information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6594 can lead to a variety of impacts, including denial of service, arbitrary code execution, and information disclosure. Since the vulnerability allows for modification of object prototypes, the impact can be widespread, affecting multiple parts of an application and potentially other applications. The number of affected applications is currently unknown, but any application using a vulnerable version of brikcss merge is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade brikcss merge to a patched version or remove the library entirely from your project to remediate CVE-2026-6594.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Prototype Pollution via HTTP Request\u0026rdquo; to detect exploitation attempts targeting web applications that use brikcss merge.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data processed by brikcss merge to prevent malicious payloads from being processed.\u003c/li\u003e\n\u003cli\u003eReview and audit code that uses brikcss merge to identify potential vulnerable code paths.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor.prototype\u003c/code\u003e, or \u003ccode\u003eprototype\u003c/code\u003e parameters in the request body as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T02:16:15Z","date_published":"2026-04-20T02:16:15Z","id":"/briefs/2026-04-brikcss-prototype-pollution/","summary":"A prototype pollution vulnerability (CVE-2026-6594) in brikcss merge up to version 1.3.0 allows remote attackers to modify object prototype attributes by manipulating the __proto__/constructor.prototype/prototype argument.","title":"brikcss merge Prototype Pollution Vulnerability (CVE-2026-6594)","url":"https://feed.craftedsignal.io/briefs/2026-04-brikcss-prototype-pollution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","npm","javascript","rat"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026, the official Axios node package manager (npm) package was compromised in a supply chain attack. The attack resulted in the deployment of two malicious versions, v1.14.1 and v0.30.4. Axios is a widely-used JavaScript library for making HTTP requests, with approximately 100 million downloads per week. The malicious packages were available for around three hours. The compromised packages introduced a fake runtime dependency, \u0026lsquo;plain-crypto-js\u0026rsquo;, that executes automatically after installation. This dependency then communicates with attacker-controlled infrastructure at 142.11.206.73, pulling down platform-specific payloads for Linux, MacOS, and Windows. The payloads are remote access trojans (RATs), enabling the attackers to gather information and execute additional malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromised the Axios NPM package and injected malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious versions v1.14.1 and v0.30.4 were published to the NPM registry.\u003c/li\u003e\n\u003cli\u003eThe malicious packages introduce a fake runtime dependency named \u0026lsquo;plain-crypto-js\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eUpon installation of the compromised package, the \u0026lsquo;plain-crypto-js\u0026rsquo; dependency executes automatically via a post-install script.\u003c/li\u003e\n\u003cli\u003eThe dependency connects to the attacker-controlled IP address 142.11.206.73 to retrieve a platform-specific payload.\u003c/li\u003e\n\u003cli\u003eOn MacOS, a binary named \u0026ldquo;com.apple.act.mond\u0026rdquo; is downloaded and executed using zsh.\u003c/li\u003e\n\u003cli\u003eOn Windows, a PowerShell script (6202033.ps1) is downloaded, and the legitimate powershell.exe is copied to \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, and the ps1 script is executed with hidden and execution policy bypass flags.\u003c/li\u003e\n\u003cli\u003eOn Linux, a Python backdoor is downloaded and executed. The downloaded executables act as Remote Access Trojans (RATs) exfiltrating credentials and enabling remote management.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack could lead to significant compromise across numerous organizations using the Axios library. The actors exfiltrate credentials and gain remote management capabilities. All credentials present on systems that installed the malicious package should be considered compromised and immediately rotated. The widespread use of Axios means the impact could extend to many applications and systems, potentially enabling further attacks leveraging compromised credentials. Supply chain attacks like these affecting widely used libraries, as seen in 25% of the top 100 vulnerabilities in the Cisco Talos 2025 Year in Review, highlight the substantial risk they pose.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRoll back to safe Axios versions (v1.14.0 or v0.30.3) immediately to prevent further compromise, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate systems that downloaded malicious packages (v1.14.1 or v0.30.4) for signs of follow-on payloads from the actor-controlled infrastructure, as described in the overview.\u003c/li\u003e\n\u003cli\u003eBlock the actor-controlled IP address 142.11.206.73 and domain Sfrclak.com at the network perimeter to prevent further communication with the malicious infrastructure, per the IOC list.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of PowerShell scripts from unusual locations, specifically \u0026ldquo;%PROGRAM DATA%\\wt.exe\u0026rdquo;, as part of the attack chain.\u003c/li\u003e\n\u003cli\u003eImplement a process creation rule to alert when processes connect to external IPs using uncommon parent processes. See example rule below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-axios-npm-supply-chain/","summary":"A supply chain attack on the Axios NPM package injected malicious code into versions v1.14.1 and v0.30.4, leading to the deployment of platform-specific remote access trojans (RATs) after the installation of a rogue dependency that communicated with attacker-controlled infrastructure to retrieve malicious payloads for Windows, MacOS, and Linux.","title":"Axios NPM Supply Chain Attack Delivering Platform-Specific RATs","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-34780"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["electron","context-isolation","javascript","xss","CVE-2026-34780","defense-evasion","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eElectron, a framework for building cross-platform desktop applications using web technologies, is vulnerable to a context isolation bypass (CVE-2026-34780) when handling VideoFrame objects. This vulnerability affects Electron versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8. Specifically, applications are at risk if they utilize \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to pass a VideoFrame object from a preload script to the main world. An attacker who achieves JavaScript execution in the main world, for example, through a cross-site scripting (XSS) vulnerability, can leverage a bridged VideoFrame to bypass context isolation and gain access to the isolated world, including Node.js APIs exposed to the preload script. This access enables further malicious activities, potentially leading to arbitrary code execution on the host system. Patches are available in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Electron application using a vulnerable version of Electron (39.0.0-alpha.1 to 39.7.x, 40.0.0-alpha.1 to 40.6.x, or 41.0.0-alpha.1 to 41.0.0-beta.7) that also uses \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to expose a \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into the application\u0026rsquo;s main world. This can be achieved through various means, such as exploiting a cross-site scripting (XSS) vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code interacts with the bridged \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eVideoFrame\u003c/code\u003e object, due to the vulnerability, allows the attacker to bypass context isolation and gain access to the isolated world.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the access to the isolated world to access Node.js APIs that are exposed to the preload script.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the exposed Node.js APIs to perform malicious actions, such as reading sensitive data, modifying application settings, or executing arbitrary code on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges by exploiting further vulnerabilities or misconfigurations within the application or the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve arbitrary code execution on the host system, allowing the attacker to perform any desired actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34780) allows an attacker to bypass context isolation in affected Electron applications, potentially leading to arbitrary code execution. The number of victims depends on the popularity and security posture of Electron applications that bridge VideoFrame objects. If the attack succeeds, an attacker could steal sensitive data, install malware, or completely compromise the user\u0026rsquo;s system. Sectors heavily reliant on Electron-based desktop applications, such as communication, development, and productivity tools, are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electron applications to patched versions (39.8.0, 40.7.0, or 41.0.0-beta.8) to address CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all user-supplied input to prevent XSS vulnerabilities that can be leveraged to exploit CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eImplement strict Content Security Policy (CSP) to mitigate the risk of XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious JavaScript execution, especially related to \u003ccode\u003eVideoFrame\u003c/code\u003e objects and \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution via Node.js APIs to detect malicious behavior following a successful context isolation bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T01:16:39Z","date_published":"2026-04-04T01:16:39Z","id":"/briefs/2026-04-electron-videoframes/","summary":"A context isolation bypass vulnerability exists in Electron applications that bridge VideoFrame objects via contextBridge, potentially allowing an attacker with JavaScript execution in the main world to access the isolated world and Node.js APIs.","title":"Electron VideoFrame Context Isolation Bypass Vulnerability (CVE-2026-34780)","url":"https://feed.craftedsignal.io/briefs/2026-04-electron-videoframes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","javascript","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in SandboxJS versions prior to 0.8.36, a JavaScript sandbox library. This vulnerability allows malicious or untrusted JavaScript code executed within the sandbox to escape the sandbox and modify global objects in the host environment. The bypass is achieved through an exposed callable constructor path: \u003ccode\u003ethis.constructor.call(target, attackerObject)\u003c/code\u003e, allowing attackers to circumvent intended protections against direct assignment to global objects. This can lead to persistent modifications of host runtime state and cross-context contamination. Successful exploitation could allow attackers to compromise other requests, tenants, or subsequent sandbox runs within the same process, potentially leading to control-flow hijack in application logic that assumes trusted built-in behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker injects JavaScript code into the SandboxJS environment.\u003c/li\u003e\n\u003cli\u003eThe injected code gains access to the \u003ccode\u003eSandboxGlobal\u003c/code\u003e constructor via \u003ccode\u003ethis.constructor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003eFunction.prototype.call\u003c/code\u003e to invoke the \u003ccode\u003eSandboxGlobal\u003c/code\u003e constructor with a target global object (e.g., \u003ccode\u003eMath\u003c/code\u003e, \u003ccode\u003eJSON\u003c/code\u003e) and a payload object containing properties to overwrite.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSandboxGlobal\u003c/code\u003e constructor copies properties from the attacker-controlled payload object into the specified global object in the host environment, bypassing the intended write-time checks.\u003c/li\u003e\n\u003cli\u003eThe host environment\u0026rsquo;s global object is modified with attacker-supplied values.\u003c/li\u003e\n\u003cli\u003eSubsequent executions of SandboxJS instances within the same process now operate with the tainted global object.\u003c/li\u003e\n\u003cli\u003eIf the host application relies on the integrity of the mutated global objects, attacker can hijack control flow.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution in the host environment due to the modified global state.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows untrusted code to escape the SandboxJS sandbox and directly manipulate the host environment\u0026rsquo;s global objects. This can lead to a variety of impacts, including persistent cross-context contamination, where new sandbox instances are initialized with a tainted state. The modification of critical global objects can lead to unpredictable behavior and, in certain scenarios, enable complete control-flow hijack of the host application. The severity of the impact is considered critical due to the potential for widespread and persistent compromise. Affected versions: npm/@nyariv/sandboxjs (vulnerable: \u0026lt; 0.8.36).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to SandboxJS version 0.8.36 or later to patch the vulnerability (Affected Packages).\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unexpected modifications to global objects within the host environment where SandboxJS is deployed (see rule \u0026ldquo;Detect SandboxJS Global Object Mutation via Constructor Call\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eConsider implementing additional layers of defense, such as restricting the capabilities of the host environment where SandboxJS is running, to minimize the impact of a successful sandbox escape (see rule \u0026ldquo;Detect SandboxJS Constructor Call to Global Objects\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eReview host application code that relies on global objects and consider implementing validation checks to ensure their integrity (see CVE-2026-34208).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:44:39Z","date_published":"2026-04-03T21:44:39Z","id":"/briefs/2026-04-sandboxjs-escape/","summary":"A sandbox integrity escape vulnerability exists in SandboxJS versions prior to 0.8.36, allowing untrusted code to bypass global write protections and mutate host shared global objects, potentially leading to cross-context persistence and broader compromise.","title":"SandboxJS Integrity Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-sandboxjs-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","npm","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 31, 2026 (UTC), the Axios npm package, a popular JavaScript library for making HTTP/S requests used by millions of applications, was targeted in a supply chain attack. A compromised maintainer account was used to publish malicious versions of the package, specifically \u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e, between approximately 00:21 and 03:30 UTC. This incident highlights the risks associated with software supply chains and the potential for attackers to inject malicious code into widely used components, impacting countless downstream applications. Defenders should prioritize monitoring their dependencies and implementing measures to detect and prevent such attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCompromise Maintainer Account:\u003c/strong\u003e An attacker gains unauthorized access to the credentials of an Axios npm package maintainer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePublish Malicious Package Versions:\u003c/strong\u003e The attacker uses the compromised account to publish malicious versions of the Axios package (\u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e) to the npm registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDependency Resolution:\u003c/strong\u003e Developers or automated build systems unknowingly download and incorporate the malicious Axios versions into their projects during dependency resolution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Execution:\u003c/strong\u003e The malicious code within the Axios package executes within the context of the affected applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Applicable):\u003c/strong\u003e Depending on the vulnerabilities exploited, the attacker may attempt to escalate privileges within the compromised environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Lateral Movement:\u003c/strong\u003e The attacker uses the compromised application as a beachhead to exfiltrate sensitive data or move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Persistence:\u003c/strong\u003e The attacker establishes persistent access to the compromised environment to maintain control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Objectives:\u003c/strong\u003e The attacker achieves their ultimate objectives, which could include data theft, system disruption, or further compromise of the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack on the Axios npm package has the potential to affect millions of applications that depend on the library. Successful exploitation could lead to data breaches, unauthorized access to systems, and widespread disruption of services. The exact scope of the impact depends on the nature of the malicious code injected into the Axios package and the vulnerabilities it exploits.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of \u003ca href=\"mailto:axios@1.14.1\"\u003eaxios@1.14.1\u003c/a\u003e and \u003ca href=\"mailto:axios@0.30.4\"\u003eaxios@0.30.4\u003c/a\u003e and investigate any occurrences (refer to the \u003cstrong\u003eOverview\u003c/strong\u003e section).\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for npm packages to detect unauthorized modifications to dependencies.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process execution within applications using the Axios library (see \u003cstrong\u003erule: \u0026ldquo;Detect Suspicious Process Execution from Axios\u0026rdquo;\u003c/strong\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T21:04:21Z","date_published":"2026-03-31T21:04:21Z","id":"/briefs/2026-03-axios-supply-chain/","summary":"The widely used Axios npm package was compromised via a supply chain attack on March 31, 2026, resulting in the publication of malicious versions through a compromised maintainer account.","title":"Axios npm Package Compromised in Supply Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-03-axios-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ed25519","signature-forgery","forge","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Forge library, a popular JavaScript cryptography toolkit, exhibits a signature forgery vulnerability in its Ed25519 implementation. Specifically, the verification process lacks a critical check to ensure that the scalar \u0026lsquo;S\u0026rsquo; is less than the group order \u0026lsquo;L\u0026rsquo; (S \u0026lt; L). This omission enables the acceptance of non-canonical signatures, effectively forging signatures. This vulnerability affects Forge versions prior to 1.4.0. An attacker could exploit this flaw to bypass security mechanisms that rely on the uniqueness of cryptographic signatures, such as authentication systems, replay protection, and signed-object canonicalization checks. This is especially critical for applications assuming that valid signatures are unique. The issue was identified in commit \u003ccode\u003e8e1d527fe8ec2670499068db783172d4fb9012e5\u003c/code\u003e and has been present since the introduction of Ed25519 support.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using Forge\u0026rsquo;s Ed25519 implementation for signature verification.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid Ed25519 signature for a specific message using a legitimate key pair.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the valid signature by adding the Ed25519 group order \u0026lsquo;L\u0026rsquo; to the \u0026lsquo;S\u0026rsquo; component of the signature (bytes 32-63), creating a non-canonical signature.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the forged, non-canonical signature to the vulnerable application for verification.\u003c/li\u003e\n\u003cli\u003eThe Forge library, due to the missing \u0026lsquo;S \u0026lt; L\u0026rsquo; check, incorrectly validates the forged signature as authentic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application accepts the forged signature, potentially granting unauthorized access or allowing malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses authentication or authorization controls that rely on signature validation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a bypass of authentication and authorization mechanisms in applications that rely on Forge\u0026rsquo;s Ed25519 implementation for signature verification. This could result in unauthorized access to sensitive data, account compromise, or the execution of malicious commands. The number of affected applications is potentially significant, given Forge\u0026rsquo;s widespread use in JavaScript-based systems. This is further compounded by the vulnerability existing since the initial implementation of Ed25519 in the library. The impact of this vulnerability will vary, depending on how signatures are used within the application. Applications that depend on unique signatures for integrity checks are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Forge version 1.4.0 or later, which includes a fix for CVE-2026-33895 (\u003ca href=\"https://nvd.nist.gov/vuln/detail/CVE-2026-33895)\"\u003ehttps://nvd.nist.gov/vuln/detail/CVE-2026-33895)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eApply the provided patch to earlier versions of Forge to enforce strict canonical scalar validation in the Ed25519 verification path.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Forged Ed25519 Signatures via Modified S Value\u0026rdquo; to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eAudit applications using Forge to identify and remediate any reliance on signature uniqueness for security-critical functions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T22:08:55Z","date_published":"2026-03-26T22:08:55Z","id":"/briefs/2026-09-forge-ed25519-forgery/","summary":"Forge is vulnerable to signature forgery in Ed25519 due to a missing check that S \u003c L, allowing non-canonical signatures and potentially bypassing authentication/authorization logic, affecting versions before 1.4.0.","title":"Forge Ed25519 Signature Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-09-forge-ed25519-forgery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["use-after-free","firefox","thunderbird","javascript","cve-2026-4723"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4723 is a critical use-after-free vulnerability affecting the JavaScript Engine component in Mozilla Firefox and Thunderbird. This flaw exists in versions prior to 149. A remote attacker could potentially exploit this vulnerability by crafting malicious JavaScript code that, when processed by a vulnerable browser or email client, triggers the use-after-free condition. The vulnerability was reported by Mozilla Corporation and assigned a CVSS v3.1 base score of 9.8, indicating a high…\u003c/p\u003e\n","date_modified":"2026-03-24T13:16:08Z","date_published":"2026-03-24T13:16:08Z","id":"/briefs/2026-03-firefox-thunderbird-uaf/","summary":"A use-after-free vulnerability, CVE-2026-4723, in the JavaScript Engine of Mozilla Firefox and Thunderbird before version 149 could allow arbitrary code execution if successfully exploited by an attacker.","title":"Mozilla Firefox and Thunderbird Use-After-Free Vulnerability (CVE-2026-4723)","url":"https://feed.craftedsignal.io/briefs/2026-03-firefox-thunderbird-uaf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","javascript","node.js","jsrsasign","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe jsrsasign library, a popular JavaScript library for implementing cryptography standards, is susceptible to a denial-of-service vulnerability. Specifically, versions prior to 11.1.1 are vulnerable to CVE-2026-4598, where the \u003ccode\u003ebnModInverse\u003c/code\u003e function within \u003ccode\u003eext/jsbn2.js\u003c/code\u003e can enter an infinite loop when processing zero or negative inputs to the \u003ccode\u003eBigInteger.modInverse\u003c/code\u003e function. An attacker can exploit this by providing maliciously crafted values (e.g., \u003ccode\u003emodInverse(0, m)\u003c/code\u003e or `modInverse(-1…\u003c/p\u003e\n","date_modified":"2026-03-23T06:16:21Z","date_published":"2026-03-23T06:16:21Z","id":"/briefs/2026-03-jsrsasign-infinite-loop/","summary":"Jsrsasign versions before 11.1.1 are vulnerable to an infinite loop via the bnModInverse function when processing zero or negative inputs, potentially leading to a denial of service.","title":"Jsrsasign Infinite Loop Vulnerability (CVE-2026-4598)","url":"https://feed.craftedsignal.io/briefs/2026-03-jsrsasign-infinite-loop/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["marked"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","javascript","marked","vulnerability"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical Denial of Service (DoS) vulnerability has been identified in \u003ccode\u003emarked@18.0.0\u003c/code\u003e. This vulnerability arises from the processing of a specific 3-byte input sequence: a tab character, a vertical tab character, and a newline character (\u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e). An unauthenticated attacker can exploit this by sending this sequence to a Node.js application utilizing the vulnerable version of the \u003ccode\u003emarked\u003c/code\u003e library. This input triggers an infinite recursion loop within the \u003ccode\u003emarked\u003c/code\u003e tokenizer during parsing, leading to unbounded memory allocation and ultimately causing the host Node.js application to crash due to Memory Exhaustion (OOM). This vulnerability allows for a total loss of availability for any application using the vulnerable library to process potentially untrusted input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted input string containing the sequence \u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e to a Node.js application using \u003ccode\u003emarked@18.0.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003espace()\u003c/code\u003e tokenizer in \u003ccode\u003emarked\u003c/code\u003e consumes the initial tab character (\u003ccode\u003e\\x09\u003c/code\u003e) using the regex \u003ccode\u003e/^(?:[ \\t]*(?:\\n|$))+/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newline block rule fails to match the remaining \u003ccode\u003e\\x0b\\n\u003c/code\u003e sequence because the vertical tab is not accounted for in the rule \u003ccode\u003e[ \\t]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe parser falls through to the \u003ccode\u003etext\u003c/code\u003e tokenizer (\u003ccode\u003e/^[^\\n]+/\u003c/code\u003e), which matches the \u003ccode\u003e\\x0b\\n\u003c/code\u003e sequence.\u003c/li\u003e\n\u003cli\u003eInside the \u003ccode\u003eblockTokens()\u003c/code\u003e function, the \u003ccode\u003etext\u003c/code\u003e tokenizer creates a text token.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eblockTokens()\u003c/code\u003e function then calls \u003ccode\u003einlineTokens()\u003c/code\u003e on the same input (\u003ccode\u003e\\x0b\\n\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einlineTokens()\u003c/code\u003e function\u0026rsquo;s text rule matches \u003ccode\u003e\\x0b\\n\u003c/code\u003e and recursively calls \u003ccode\u003einlineTokens()\u003c/code\u003e again, leading to an infinite loop.\u003c/li\u003e\n\u003cli\u003eEach recursive call allocates new token objects and concatenates strings, causing memory usage to grow until the Node.js heap limit is reached, resulting in a crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in a High-Severity Denial of Service (DoS) via Memory Exhaustion. Any application, API, chatbot, or documentation system using \u003ccode\u003emarked@18.0.0\u003c/code\u003e to parse untrusted user input is vulnerable. The attack requires minimal resources from the attacker, only the ability to send a 3-byte payload, to cause a total loss of availability. The vulnerability affects \u003ccode\u003enpm/marked\u003c/code\u003e versions greater than or equal to 18.0.0 and less than or equal to 18.0.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the \u003ccode\u003emarked\u003c/code\u003e library that addresses the infinite recursion vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js application logs for error messages indicating memory exhaustion or crashes, which might indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation to sanitize or reject input containing the malicious \u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e sequence.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003emarked\u003c/code\u003e process crashes due to memory exhaustion to identify exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-marked-dos/","summary":"A denial of service vulnerability exists in marked version 18.0.0 due to infinite recursion when processing a specific 3-byte sequence (tab, vertical tab, and newline), leading to unbounded memory allocation and application crash.","title":"Denial of Service Vulnerability in marked via Infinite Recursion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-marked-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["locize client SDK"],"_cs_severities":["high"],"_cs_tags":["xss","dom-xss","postMessage","locize","javascript"],"_cs_type":"advisory","_cs_vendors":["locize"],"content_html":"\u003cp\u003eThe locize client SDK, a browser module integrating the locize InContext translation editor, contains a cross-origin vulnerability in versions prior to 4.0.21. The vulnerability stems from the SDK\u0026rsquo;s failure to validate the \u003ccode\u003eevent.origin\u003c/code\u003e property when handling \u003ccode\u003ewindow.addEventListener(\u0026quot;message\u0026quot;)\u003c/code\u003e events. This allows a malicious webpage sharing a window reference with a locize-enabled host (e.g., via an iframe) to send crafted \u003ccode\u003epostMessage\u003c/code\u003e calls, triggering internal handlers without proper authorization. Successful exploitation can lead to DOM-based XSS, hijacking of the \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e properties, and CSS injection, potentially compromising the confidentiality and integrity of the application. This vulnerability was discovered via an internal security audit of the locize ecosystem.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker hosts a malicious webpage with the intent to exploit a locize-enabled application.\u003c/li\u003e\n\u003cli\u003eThe locize-enabled application embeds the attacker\u0026rsquo;s page as an iframe or has a \u003ccode\u003ewindow.opener\u003c/code\u003e/\u003ccode\u003ewindow.open\u003c/code\u003e relationship with it.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003epostMessage\u003c/code\u003e with a \u003ccode\u003esender\u003c/code\u003e field equal to \u003ccode\u003e\u0026quot;i18next-editor-frame\u0026quot;\u003c/code\u003e and a malicious payload targeted at specific handlers.\u003c/li\u003e\n\u003cli\u003eThe locize SDK\u0026rsquo;s \u003ccode\u003ewindow.addEventListener(\u0026quot;message\u0026quot;)\u003c/code\u003e handler receives the message and, without validating \u003ccode\u003eevent.origin\u003c/code\u003e, dispatches it to the internal handlers.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003eeditKey\u003c/code\u003e or \u003ccode\u003ecommitKeys\u003c/code\u003e handlers, the attacker-controlled payload values are assigned to \u003ccode\u003eitem.node.innerHTML\u003c/code\u003e or \u003ccode\u003eitem.node.setAttribute(attr, value)\u003c/code\u003e, injecting malicious scripts or HTML.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003eisLocizeEnabled\u003c/code\u003e handler, the \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e are hijacked, redirecting subsequent messages to the attacker\u0026rsquo;s window and exfiltrating translation content.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets the \u003ccode\u003erequestPopupChanges\u003c/code\u003e handler, malicious CSS code is injected into the popup\u0026rsquo;s inline style.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or injects malicious content into the locize-enabled application, impacting its integrity and confidentiality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. Cross-origin DOM XSS allows arbitrary code execution within the context of the vulnerable application. Hijacking \u003ccode\u003eapi.source\u003c/code\u003e and \u003ccode\u003eapi.origin\u003c/code\u003e results in the leakage of translation content and metadata to the attacker, compromising sensitive information. CSS injection can alter the visual appearance of the application, potentially leading to phishing attacks or further exploitation. The number of victims depends on the adoption rate of vulnerable locize SDK versions prior to 4.0.21.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003elocize\u003c/code\u003e client SDK version 4.0.21 or later to patch the vulnerability. This version implements \u003ccode\u003eevent.origin\u003c/code\u003e validation in \u003ccode\u003esrc/api/postMessage.js\u003c/code\u003e, mitigating the risk of cross-origin attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Locize Client SDK DOM XSS Attempt via postMessage\u0026rdquo; to identify exploitation attempts based on manipulation of \u003ccode\u003einnerHTML\u003c/code\u003e or \u003ccode\u003esetAttribute\u003c/code\u003e in the locize context.\u003c/li\u003e\n\u003cli\u003eEnable web server logging and monitor for suspicious \u003ccode\u003epostMessage\u003c/code\u003e events originating from unexpected domains to detect potential exploitation attempts targeting the locize SDK.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-locize-xss/","summary":"The locize client SDK versions prior to 4.0.21 are vulnerable to cross-origin DOM XSS and handler hijack due to missing origin validation in the InContext Editor, allowing attackers to inject malicious code and exfiltrate data via crafted postMessage events.","title":"locize Client SDK Cross-Origin DOM XSS and Handler Hijack Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-locize-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Javascript","version":"https://jsonfeed.org/version/1.1"}