Affected versions of
closure-util insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running
To mitigate this issue:
1. Install the package using npm's
2. Navigate to the package directory, and open
default-config.json in a text editor
3. Change the download URLs in the
npm i in the package directory.