Malicious Package in boogeyman

2020-09-01T21:07:41
ID GHSA-9HC2-W9GG-Q6JW
Type github
Reporter GitHub Advisory Database
Modified 2020-09-01T21:07:41

Description

All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account.

Recommendation

This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.