## Critical Supply Chain Risk: webpack-plugin-injector 1.0.6 Exposes Projects to 10 High-Severity Vulnerabilities
A critical security alert has been issued for the widely used `webpack-plugin-injector` npm package, version 1.0.6. The library contains 10 distinct vulnerabilities, with the highest severity rated a critical 9.8 on the CVSS scale. Crucially, these vulnerabilities are flagged as 'reachable,' meaning the exploitable code paths are present and active within dependent applications, significantly increasing the immediate risk of compromise. This is not a dormant threat; it's a live, exploitable weakness in the software supply chain.

The vulnerable library was identified in multiple dependency paths within a project structure, including `/src/Administration/Resources/app/administration/package.json` and `/src/Storefront/Resources/app/storefront/package.json`. The presence of the package across different application components (administration and storefront) suggests a broad attack surface. The specific vulnerabilities, such as CVE-2022-37601, are documented in public databases like Mend (formerly WhiteSource), indicating these are known, published flaws that malicious actors can easily target.

This discovery highlights a severe supply chain risk for any project relying on this specific version of `webpack-plugin-injector`. Developers and security teams must immediately audit their dependencies to identify if this package is in use. The 'reachable' classification transforms this from a theoretical vulnerability into a pressing operational security incident, demanding urgent remediation to prevent potential code injection, data breaches, or system takeover. The widespread use of webpack in modern JavaScript development amplifies the potential impact across countless web applications and build pipelines.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain, npm, vulnerability, webpack, javascript
- **Credibility**: unverified
- **Published**: 2026-04-10 00:39:43
- **ID**: 57823
- **URL**: https://whisperx.ai/en/intel/57823