Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-b7kj-s3k8-c3cv

Summary

Malicious code in @nativescript-community/ui-material-tabs (npm)
This package was compromised by the Shai-Hulud NPM worm.
The malicious payload steals tokens and credentials and publishes
them to GitHub before propogating itself to NPM packages the user owns.

Aliases

alias	GHSA-7w3j-2v86-2cqm

alias	MAL-2025-47159

Fixed_packages

Affected_packages

url pkg:npm/%40nativescript-community/ui-material-tabs@7.2.72

purl pkg:npm/%40nativescript-community/ui-material-tabs@7.2.72

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7kj-s3k8-c3cv

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540nativescript-community/ui-material-tabs@7.2.72

url pkg:npm/%40nativescript-community/ui-material-tabs@7.2.73

purl pkg:npm/%40nativescript-community/ui-material-tabs@7.2.73

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7kj-s3k8-c3cv

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540nativescript-community/ui-material-tabs@7.2.73

url pkg:npm/%40nativescript-community/ui-material-tabs@7.2.74

purl pkg:npm/%40nativescript-community/ui-material-tabs@7.2.74

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7kj-s3k8-c3cv

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540nativescript-community/ui-material-tabs@7.2.74

url pkg:npm/%40nativescript-community/ui-material-tabs@7.2.75

purl pkg:npm/%40nativescript-community/ui-material-tabs@7.2.75

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-b7kj-s3k8-c3cv

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540nativescript-community/ui-material-tabs@7.2.75

References

reference_url	https://github.com/advisories/MAL-2025-47159
reference_id
reference_type
scores
url	https://github.com/advisories/MAL-2025-47159

reference_url	https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/
reference_id
reference_type
scores
url	https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/

reference_url	https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
reference_id
reference_type
scores
url	https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

reference_url	https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
reference_id
reference_type
scores
url	https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again

reference_url	https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised
reference_id
reference_type
scores
url	https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

reference_url	https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
reference_id
reference_type
scores
url	https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

reference_url	https://github.com/advisories/GHSA-7w3j-2v86-2cqm
reference_id	GHSA-7w3j-2v86-2cqm
reference_type
scores
url	https://github.com/advisories/GHSA-7w3j-2v86-2cqm

Weaknesses

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability 0.5

Weighted_severity 0.0

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b7kj-s3k8-c3cv

Vulnerability Instance