Charlie Eriksen

**Nome do Software Vulnerável e Versões Afetadas** versões 4.4.2 do debug **Descrição** A conta de publicação do npm para o debug foi comprometida após um ataque de phishing em 8 de setembro de 2025. A versão 4.4.2 foi publicada com um payload malicioso projetado para redirecionar transações de criptomoedas dentro de ambientes de navegador. Ambientes que não utilizam o pacote em um contexto de navegador, como aplicações locais, de servidor ou de linha de comando, não são afetados. O malware tem como alvo especificamente transações de criptomoedas e carteiras como a MetaMask. **Recomendações** Atualize para a versão de patch mais recente, remova completamente o diretório `node modules`, limpe o cache global do gerenciador de pacotes e reconstrua quaisquer bundles do navegador. Aqueles que operam registros privados ou espelhos de registro devem expurgar as versões comprometidas de quaisquer caches. Se o comportamento suspeito persistir após a execução dessas etapas, entre em contato com o proprietário do pacote via Bluesky em https://bsky.app/profile/bad-at-computer.bsky.social ou através da issue de rastreamento no repositório `debug` em https://github.com/debug-js/debug/issues/1005.

**Nome do Software Vulnerável e Versões Afetadas:** DuckDB versões 1.3.3 @duckdb/node-api versão 1.3.3 @duckdb/node-bindings versão 1.3.3 @duckdb/duckdb-wasm versão 1.29.2 **Descrição:** Pacotes do DuckDB distribuídos para Node.js no npm foram comprometidos com malware destinado a interferir em transações de criptomoedas. Um atacante publicou versões maliciosas de vários pacotes do DuckDB. O ataque envolveu uma campanha de phishing direcionada a administradores do DuckDB, levando ao comprometimento das credenciais do npm e à publicação de pacotes maliciosos. O atacante criou uma réplica convincente do site do npm para roubar credenciais. **Recomendações:** Atualize `@duckdb/node-api` para a versão 1.3.4 ou superior. Atualize `@duckdb/node-bindings` para a versão 1.3.4 ou superior. Atualize `duckdb` para a versão 1.3.4 ou superior. Atualize `@duckdb/duckdb-wasm` para a versão 1.30.0 ou superior. Como medida temporária, faça downgrade do `@duckdb/node-api` para a versão 1.3.2. Como medida temporária, faça downgrade do `@duckdb/node-bindings` para a versão 1.3.2. Como medida temporária, faça downgrade do `duckdb` para a versão 1.3.2. Como medida temporária, faça downgrade do `@duckdb/duckdb-wasm` para a versão 1.29.1.

**Name of the Vulnerable Software and Affected Versions** WordPress Calendar plugin versions prior to 1.3.3 **Description** A cross-site request forgery issue allows remote attackers to hijack user authentication for requests that add calendar entries. **Recommendations** For WordPress Calendar plugin versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Square Squash (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary code. This can be achieved via a YAML document in two parameters: the `namespace` parameter to the `deobfuscation` function or the `sourcemap` parameter to the `sourcemap` function, both located in the `app/controllers/api/v1 controller.rb` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP-Print plugin versions prior to 2.52 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that manipulate plugin settings. **Recommendations** For WP-Print plugin versions prior to 2.52, update to version 2.52 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** underConstruction plugin versions prior to 1.09 for WordPress **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability. This allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin. The exact vectors used for the attack are not specified. **Recommendations** For underConstruction plugin versions prior to 1.09, update to version 1.09 or later to resolve the issue. As a temporary workaround, consider restricting access to plugin deactivation requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Graphite versions 0.9.5 through 0.9.10 **Description** The issue concerns the use of the pickle Python module in an unsafe manner by the renderLocalView function in render/views.py in graphite-web. This allows remote attackers to execute arbitrary code via a crafted serialized object. **Recommendations** For Graphite versions 0.9.5 through 0.9.10, consider disabling the renderLocalView function in render/views.py until a patch is available. Restrict access to the render/views.py module to minimize the risk of exploitation. Avoid using the pickle Python module with untrusted input in the affected Graphite versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Login With Ajax plugin versions prior to 3.1 **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of arbitrary users for requests that modify the plugin's settings. **Recommendations** For versions prior to 3.1, update to version 3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP-DownloadManager plugin versions prior to 1.61 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. **Recommendations** For WP-DownloadManager plugin versions prior to 1.61, update to version 1.61 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Login With Ajax plugin versions prior to 3.0.4.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `callback` parameter. **Recommendations** For versions prior to 3.0.4.1, update to version 3.0.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `callback` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Login With Ajax plugin versions prior to 3.0.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `callback` parameter in a `lostpassword` action to `wp-login.php`. **Recommendations** For versions prior to 3.0.4.1, update to version 3.0.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `lostpassword` action in `wp-login.php` to minimize the risk of exploitation. Avoid using the `callback` parameter in the affected API endpoint until the issue is resolved.