AIKIDO-2026-10489

TL;DR

Affected versions of this package are vulnerable to the use of a cryptographically insecure or improperly selected random number generator in certain environments, including Node.js ≥ 19 and modern browsers. The affected logic in SecureRandom may fall back to or incorrectly select a non-cryptographic RNG, leading to generation of predictable values for security-sensitive operations such as key generation, signatures, or nonces. An attacker able to exploit this weakness can predict or brute-force generated values, potentially compromising cryptographic guarantees and enabling further attacks.