Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN520
_____________________________________________________________________

DATE                : 19/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running opensearch (npm) versions 3.5.3,
                                    3.6.2, 3.7.0, 3.8.0.

=====================================================================
https://github.com/opensearch-project/opensearch-js/security/advisories/GHSA-27f5-xjrr-q9ff
_____________________________________________________________________


Malware in @opensearch-project/opensearch
Critical
getsaurabh02 published GHSA-27f5-xjrr-q9ff May 12, 2026

Package
@opensearch-project/opensearch (npm)

Affected versions
= 3.5.3
= 3.6.2
= 3.7.0
= 3.8.0

Patched versions
None


Description

Overview

The OpenSearch Project has sustained a security incident involving
an external actor gaining force-push permissions within the
project's CI infrastructure to embed malicious packages into four
release versions of @opensearch-project/opensearch. Users are
instructed to immediately take actions recommended in the
Remediation section of this advisory.


Affected Versions

Package: @opensearch-project/opensearch

Version 	Published (UTC) 	Published (America/New_York)
3.5.3 	2026-05-12T00:47:39Z 	May 11, 2026, 8:47:39 PM EDT
3.6.2 	2026-05-12T00:29:34Z 	May 11, 2026, 8:29:34 PM EDT
3.7.0 	2026-05-12T00:42:29Z 	May 11, 2026, 8:42:29 PM EDT
3.8.0 	2026-05-12T00:43:54Z 	May 11, 2026, 8:43:54 PM EDT


Remediation

Any computer that has these package versions installed or updated
between 00:00 UTC 12 May 2026 (8:00 PM EDT 11 May 2026) and
10:00 UTC 12 May 2026 (6:00 AM EDT 12 May 2026) should be
considered fully compromised. Steps should immediately be taken
to prevent further compromise.

    All secrets and keys stored on that computer should be rotated
immediately from an alternate system.
    The affected packages should be removed immediately, but as
full control of the computer may have been given to an outside
entity, there is no guarantee that removing the package will
remove all malicious software resulting from installing it.


References

GHSA-g7cv-rxg3-hmpx
TanStack/router#7383


Severity
Critical
9.6/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID
No known CVE

Weaknesses
Weakness CWE-506 

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================