PackageFix Blog
CVE digests, supply chain attack breakdowns, and fix guides for npm, PyPI, Ruby, PHP, Go, Rust, and Java.
Weekly CVE Digest — April 10, 2026
Angular SSR CRITICAL SSRF (CVSS 9.2), multer DoS, cryptography buffer overflow, 1,700 malicious npm/PyPI packages from North Korea-linked campaign.
How the axios Attack Used plain-crypto-js as a Transitive Dependency
Technical breakdown of how the March 2026 supply chain attack exploited npm transitive dependency installation.
axios npm Supply Chain Attack — March 31, 2026
axios@1.14.1 and axios@0.30.4 backdoored with a RAT via plain-crypto-js@4.2.1. IOCs, timeline, remediation.
Weekly CVE Digest — April 1, 2026
6 CVEs: mysql2 RCE (CRITICAL), Werkzeug debugger RCE (CRITICAL), gunicorn HTTP smuggling, rustls, express, fiber.
Ruby on Rails Security Releases 2024 — Complete CVE List
All 8 Rails CVEs in 2024 including October batch and December host authorization bypass.
multer 1.4.5-lts.1 — Why npm Skips It and How to Update
multer 1.4.5-lts.1 is now itself vulnerable (CVE-2025-47944). Safe version: multer@2.1.1.
Transitive Package Vulnerability — What It Is and How to Fix It
CVEs in packages you didn't install directly. Real examples: qs via Express, minimist, Log4Shell.
Weekly CVE Digest — March 29, 2026
6 CVEs across npm, PyPI, Go, and Rust ecosystems.
Weekly CVE Digest — March 22, 2026
7 CVEs including Log4Shell, Spring4Shell, SnakeYAML RCE.
5 Supply Chain Attacks That npm audit Would Have Missed
Typosquatting, dependency confusion, zombie packages, Glassworm attacks.