[GH-ISSUE #136] 🚨 CRITICAL VULNERABILITY: sweetalert2 contains malicious code #113

New issue

Closed

opened 2026-02-26 21:34:29 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 21:34:29 +03:00

Owner

Originally created by @chudnyi on GitHub (Sep 29, 2025).
Original GitHub issue: https://github.com/eduardolat/pgbackweb/issues/136

🚨 CRITICAL VULNERABILITY: sweetalert2 contains malicious code

Problem Discovery

While using pgbackweb 0.5.0, I detected suspicious behavior: after some time of service operation, the login screen gets blocked and an audio file starts playing automatically.

Evidence

Interface blocking: Authorization screen becomes unresponsive
Unauthorized audio: Plays https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3
Code analysis: Found hidden functions in the sweetalert2 component

Reproduction Steps

Install pgbackweb with current dependencies
Start the service
Wait several days
Observe interface blocking + audio playback

Affected Versions

pgbackweb version 0.5.0
Any versions using sweetalert2

Technical Details

Malicious Pull Request: [Customizable Anti-War Message with CLI Support to SweetAlert2](https://github.com/sweetalert2/sweetalert2/pull/2785) by kenara
File location: Ukraina.mp3 can be found in internal/view/static/libs/sweetalert2/sweetalert2-11.13.1.min.js
Attack vector: The malicious code was introduced through a seemingly legitimate pull request that added "anti-war messaging" functionality

Questions for Developers

When will an official fix be released?
Have other dependencies been checked for security?
Will a full code security audit be conducted?
What is the timeline for removing the compromised sweetalert2 dependency?
Are there any immediate mitigation steps users can take?

Severity Level

🚨 CRITICAL - this vulnerability allows:

Service disruption
Arbitrary content playback
Interface functionality breakdown
Unauthorized network requests
Potential for more severe payload delivery

Immediate Actions Required

Remove sweetalert2 dependency immediately
Scan all dependencies for similar compromise
Notify users of the security issue
Release patched version without the malicious dependency

Originally created by @chudnyi on GitHub (Sep 29, 2025). Original GitHub issue: https://github.com/eduardolat/pgbackweb/issues/136 # 🚨 CRITICAL VULNERABILITY: sweetalert2 contains malicious code ## Problem Discovery While using pgbackweb 0.5.0, I detected suspicious behavior: after some time of service operation, the login screen gets blocked and an audio file starts playing automatically. ## Evidence * **Interface blocking**: Authorization screen becomes unresponsive * **Unauthorized audio**: Plays `https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3` * **Code analysis**: Found hidden functions in the `sweetalert2` component ## Reproduction Steps 1. Install pgbackweb with current dependencies 2. Start the service 3. Wait several days 4. Observe interface blocking + audio playback ## Affected Versions * pgbackweb version 0.5.0 * Any versions using `sweetalert2` ## Technical Details * **Malicious Pull Request**: [[Customizable Anti-War Message with CLI Support to SweetAlert2](https://github.com/sweetalert2/sweetalert2/pull/2785)](https://github.com/sweetalert2/sweetalert2/pull/2785) by kenara * **File location**: Ukraina.mp3 can be found in `internal/view/static/libs/sweetalert2/sweetalert2-11.13.1.min.js` * **Attack vector**: The malicious code was introduced through a seemingly legitimate pull request that added "anti-war messaging" functionality ## Questions for Developers - [ ] When will an official fix be released? - [ ] Have other dependencies been checked for security? - [ ] Will a full code security audit be conducted? - [ ] What is the timeline for removing the compromised sweetalert2 dependency? - [ ] Are there any immediate mitigation steps users can take? ## Severity Level 🚨 **CRITICAL** - this vulnerability allows: * Service disruption * Arbitrary content playback * Interface functionality breakdown * Unauthorized network requests * Potential for more severe payload delivery ## Immediate Actions Required - [ ] Remove sweetalert2 dependency immediately - [ ] Scan all dependencies for similar compromise - [ ] Notify users of the security issue - [ ] Release patched version without the malicious dependency

kerem closed this issue

2026-02-26 21:34:29 +03:00

kerem commented

2026-02-26 21:34:30 +03:00

Author

Owner

@Kreol13 commented on GitHub (Oct 1, 2025):

The author promised to fix it six months ago, but the situation is still the same - https://github.com/eduardolat/pgbackweb/issues/115

@Kreol13 commented on GitHub (Oct 1, 2025): The author promised to fix it six months ago, but the situation is still the same - https://github.com/eduardolat/pgbackweb/issues/115

kerem commented

2026-02-26 21:34:30 +03:00

Author

Owner

@eduardolat commented on GitHub (Oct 6, 2025):

Fixed in v0.5.1

@eduardolat commented on GitHub (Oct 6, 2025): Fixed in v0.5.1

kerem commented

2026-02-26 21:34:30 +03:00

Author

Owner

@chudnyi commented on GitHub (Oct 6, 2025):