Charlie Eriksen

**Name of the Vulnerable Software and Affected Versions** debug versions 4.4.2 **Description** The npm publishing account for debug was compromised following a phishing attack on September 8, 2025. Version 4.4.2 was published with a malicious payload designed to redirect cryptocurrency transactions within browser environments. Environments not utilizing the package in a browser context, such as local, server, or command-line applications, are not affected. The malware specifically targets cryptocurrency transactions and wallets like MetaMask. **Recommendations** Upgrade to the latest patch version, completely remove the `node modules` directory, clean the package manager's global cache, and rebuild any browser bundles. Those operating private registries or registry mirrors should purge the compromised versions from any caches. If suspicious behavior persists after performing these steps, contact the package owner via Bluesky at https://bsky.app/profile/bad-at-computer.bsky.social or through the tracking issue on the `debug` repository at https://github.com/debug-js/debug/issues/1005.

**Name of the Vulnerable Software and Affected Versions:** DuckDB versions 1.3.3 @duckdb/node-api version 1.3.3 @duckdb/node-bindings version 1.3.3 @duckdb/duckdb-wasm version 1.29.2 **Description:** DuckDB packages distributed for Node.js on npm were compromised with malware intended to interfere with cryptocoin transactions. An attacker published malicious versions of several DuckDB packages. The attack involved a phishing campaign targeting DuckDB administrators, leading to the compromise of npm credentials and the publication of malicious packages. The attacker created a convincing replica of the npm website to steal credentials. **Recommendations:** Upgrade `@duckdb/node-api` to version 1.3.4 or a higher version. Upgrade `@duckdb/node-bindings` to version 1.3.4 or a higher version. Upgrade `duckdb` to version 1.3.4 or a higher version. Upgrade `@duckdb/duckdb-wasm` to version 1.30.0 or a higher version. As a workaround, downgrade `@duckdb/node-api` to version 1.3.2. As a workaround, downgrade `@duckdb/node-bindings` to version 1.3.2. As a workaround, downgrade `duckdb` to version 1.3.2. As a workaround, downgrade `@duckdb/duckdb-wasm` to version 1.29.1.

**Name of the Vulnerable Software and Affected Versions** WordPress Calendar plugin versions prior to 1.3.3 **Description** A cross-site request forgery issue allows remote attackers to hijack user authentication for requests that add calendar entries. **Recommendations** For WordPress Calendar plugin versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Square Squash (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary code. This can be achieved via a YAML document in two parameters: the `namespace` parameter to the `deobfuscation` function or the `sourcemap` parameter to the `sourcemap` function, both located in the `app/controllers/api/v1 controller.rb` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP-Print plugin versions prior to 2.52 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that manipulate plugin settings. **Recommendations** For WP-Print plugin versions prior to 2.52, update to version 2.52 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** underConstruction plugin versions prior to 1.09 for WordPress **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability. This allows remote attackers to hijack the authentication of administrators for requests that deactivate a plugin. The exact vectors used for the attack are not specified. **Recommendations** For underConstruction plugin versions prior to 1.09, update to version 1.09 or later to resolve the issue. As a temporary workaround, consider restricting access to plugin deactivation requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Graphite versions 0.9.5 through 0.9.10 **Description** The issue concerns the use of the pickle Python module in an unsafe manner by the renderLocalView function in render/views.py in graphite-web. This allows remote attackers to execute arbitrary code via a crafted serialized object. **Recommendations** For Graphite versions 0.9.5 through 0.9.10, consider disabling the renderLocalView function in render/views.py until a patch is available. Restrict access to the render/views.py module to minimize the risk of exploitation. Avoid using the pickle Python module with untrusted input in the affected Graphite versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Login With Ajax plugin versions prior to 3.1 **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of arbitrary users for requests that modify the plugin's settings. **Recommendations** For versions prior to 3.1, update to version 3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP-DownloadManager plugin versions prior to 1.61 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. **Recommendations** For WP-DownloadManager plugin versions prior to 1.61, update to version 1.61 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Login With Ajax plugin versions prior to 3.0.4.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `callback` parameter. **Recommendations** For versions prior to 3.0.4.1, update to version 3.0.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `callback` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Login With Ajax plugin versions prior to 3.0.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `callback` parameter in a `lostpassword` action to `wp-login.php`. **Recommendations** For versions prior to 3.0.4.1, update to version 3.0.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `lostpassword` action in `wp-login.php` to minimize the risk of exploitation. Avoid using the `callback` parameter in the affected API endpoint until the issue is resolved.