Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-4ya7-g77r-5fbd

Summary

Malicious code in ember-browser-services (npm)
This package was compromised by the Shai-Hulud NPM worm.
The malicious payload steals tokens and credentials and publishes
them to GitHub before propogating itself to NPM packages the user owns.

Aliases

alias	GHSA-7qrg-7gpf-jf9v

alias	MAL-2025-47306

Fixed_packages

Affected_packages

url pkg:npm/ember-browser-services@5.0.2

purl pkg:npm/ember-browser-services@5.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4ya7-g77r-5fbd

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ember-browser-services@5.0.2

url pkg:npm/ember-browser-services@5.0.3

purl pkg:npm/ember-browser-services@5.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4ya7-g77r-5fbd

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ember-browser-services@5.0.3

References

reference_url	https://github.com/advisories/MAL-2025-47306
reference_id
reference_type
scores
url	https://github.com/advisories/MAL-2025-47306

reference_url	https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/
reference_id
reference_type
scores
url	https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/

reference_url	https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
reference_id
reference_type
scores
url	https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages

reference_url	https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
reference_id
reference_type
scores
url	https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

reference_url	https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
reference_id
reference_type
scores
url	https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again

reference_url	https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised
reference_id
reference_type
scores
url	https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

reference_url	https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
reference_id
reference_type
scores
url	https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

reference_url	https://github.com/advisories/GHSA-7qrg-7gpf-jf9v
reference_id	GHSA-7qrg-7gpf-jf9v
reference_type
scores
url	https://github.com/advisories/GHSA-7qrg-7gpf-jf9v

Weaknesses

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4ya7-g77r-5fbd

Vulnerability Instance