Malware advisory

GHSA-c83v-7274-4vgp

Malicious website can execute commands on the local system through XSS in the OpenCode web UI

4 affected releases in the PkgRadar corpus · published 2026-01-13 · upstream advisory

Affected packages

Package	Ecosystem	Version	Verdict	Scanned (UTC)
`opencode-ai`	npm	`0.0.0-dev-202605250153`	Review	2026-05-25
`opencode-ai`	npm	`0.0.0-dev-202605250758`	Review	2026-05-25
`opencode-ai`	npm	`0.0.0-beta-202605251010`	Review	2026-05-25
`opencode-ai`	npm	`0.0.0-dev-202605250943`	Review	2026-05-25

PkgRadar blocks these releases at the CI gate before they reach your build. Start free or see all advisories.