Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-spuz-gfx8-37ds

Summary

Malicious code in @operato/help (npm)
This package was compromised by the Shai-Hulud NPM worm.
The malicious payload steals tokens and credentials and publishes
them to GitHub before propogating itself to NPM packages the user owns.

Aliases

alias	GHSA-2pjr-w8h7-fpxf

alias	MAL-2025-47256

Fixed_packages

Affected_packages

url pkg:npm/%40operato/help@9.0.35

purl pkg:npm/%40operato/help@9.0.35

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.35

url pkg:npm/%40operato/help@9.0.36

purl pkg:npm/%40operato/help@9.0.36

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.36

url pkg:npm/%40operato/help@9.0.37

purl pkg:npm/%40operato/help@9.0.37

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.37

url pkg:npm/%40operato/help@9.0.38

purl pkg:npm/%40operato/help@9.0.38

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.38

url pkg:npm/%40operato/help@9.0.39

purl pkg:npm/%40operato/help@9.0.39

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.39

url pkg:npm/%40operato/help@9.0.40

purl pkg:npm/%40operato/help@9.0.40

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.40

url pkg:npm/%40operato/help@9.0.41

purl pkg:npm/%40operato/help@9.0.41

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.41

url pkg:npm/%40operato/help@9.0.42

purl pkg:npm/%40operato/help@9.0.42

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.42

url pkg:npm/%40operato/help@9.0.43

purl pkg:npm/%40operato/help@9.0.43

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.43

url pkg:npm/%40operato/help@9.0.44

purl pkg:npm/%40operato/help@9.0.44

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.44

url pkg:npm/%40operato/help@9.0.45

purl pkg:npm/%40operato/help@9.0.45

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.45

url pkg:npm/%40operato/help@9.0.46

purl pkg:npm/%40operato/help@9.0.46

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.46

url pkg:npm/%40operato/help@9.0.47

purl pkg:npm/%40operato/help@9.0.47

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.47

url pkg:npm/%40operato/help@9.0.48

purl pkg:npm/%40operato/help@9.0.48

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.48

url pkg:npm/%40operato/help@9.0.49

purl pkg:npm/%40operato/help@9.0.49

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.49

url pkg:npm/%40operato/help@9.0.50

purl pkg:npm/%40operato/help@9.0.50

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.50

url pkg:npm/%40operato/help@9.0.51

purl pkg:npm/%40operato/help@9.0.51

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-spuz-gfx8-37ds

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540operato/help@9.0.51

References

reference_url	https://github.com/advisories/MAL-2025-47256
reference_id
reference_type
scores
url	https://github.com/advisories/MAL-2025-47256

reference_url	https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/
reference_id
reference_type
scores
url	https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/

reference_url	https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
reference_id
reference_type
scores
url	https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

reference_url	https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
reference_id
reference_type
scores
url	https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again

reference_url	https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised
reference_id
reference_type
scores
url	https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

reference_url	https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
reference_id
reference_type
scores
url	https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

reference_url	https://github.com/advisories/GHSA-2pjr-w8h7-fpxf
reference_id	GHSA-2pjr-w8h7-fpxf
reference_type
scores
url	https://github.com/advisories/GHSA-2pjr-w8h7-fpxf

Weaknesses

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-spuz-gfx8-37ds

Vulnerability Instance