DATABASE RESOURCES PRICING ABOUT US

{"id": "NODEJS:509", "type": "nodejs", "bulletinFamily": "software", "title": "Hijacked Environment Variables", "description": "## Overview\n\nThe `nodecaffe` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n## Recommendation\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.\n\n## References\n\n[GitHub Advisory](https://github.com/advisories/GHSA-2wpq-vvw6-67wr)", "published": "2017-08-08T23:34:26", "modified": "2021-09-23T07:56:55", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://www.npmjs.com/advisories/509", "reporter": "Anonymous", "references": [], "cvelist": ["CVE-2017-16070"], "immutableFields": [], "lastseen": "2021-09-23T06:35:56", "viewCount": 27, "enchantments": {"score": {"value": 4.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-16070"]}, {"type": "github", "idList": ["GHSA-2WPQ-VVW6-67WR"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113208"]}, {"type": "osv", "idList": ["OSV:GHSA-2WPQ-VVW6-67WR"]}]}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:319816"]}, {"type": "cve", "idList": ["CVE-2017-16070"]}, {"type": "github", "idList": ["GHSA-2WPQ-VVW6-67WR"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113208"]}, {"type": "osv", "idList": ["OSV:GHSA-2WPQ-VVW6-67WR"]}, {"type": "threatpost", "idList": ["THREATPOST:12B9BFB35BF21AD95E3A7F11B241431F"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "nodecaffe", "version": 0}]}, "vulnersScore": 4.6}, "affectedSoftware": [{"operator": "ge", "version": "0.0.0", "name": "nodecaffe"}], "_state": {"dependencies": 1659916711, "score": 1659842276, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "e28c350e1bec238cd60a82322eb430bf"}}

{"github": [{"lastseen": "2023-01-09T05:07:29", "description": "The `nodecaffe` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-29T23:38:35", "type": "github", "title": "Hijacked Environment Variables in nodecaffe", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16070"], "modified": "2023-01-09T05:02:30", "id": "GHSA-2WPQ-VVW6-67WR", "href": "https://github.com/advisories/GHSA-2wpq-vvw6-67wr", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2022-05-11T21:41:21", "description": "The `nodecaffe` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-29T23:38:35", "type": "osv", "title": "Hijacked Environment Variables in nodecaffe", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16070"], "modified": "2021-09-16T20:56:28", "id": "OSV:GHSA-2WPQ-VVW6-67WR", "href": "https://osv.dev/vulnerability/GHSA-2wpq-vvw6-67wr", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:31:51", "description": "nodecaffe was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-07T02:29:00", "type": "cve", "title": "CVE-2017-16070", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16070"], "modified": "2019-10-09T23:24:00", "cpe": ["cpe:/a:nodecaffe_project:nodecaffe:*"], "id": "CVE-2017-16070", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16070", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:nodecaffe_project:nodecaffe:*:*:*:*:*:node.js:*:*"]}], "openvas": [{"lastseen": "2020-04-30T18:14:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16079", "CVE-2017-16054", "CVE-2017-16078", "CVE-2017-16051", "CVE-2017-16076", "CVE-2017-16064", "CVE-2017-16059", "CVE-2017-16080", "CVE-2017-16071", "CVE-2017-16074", "CVE-2017-16204", "CVE-2017-16073", "CVE-2017-16065", "CVE-2017-16045", "CVE-2017-16062", "CVE-2017-16206", "CVE-2017-16205", "CVE-2017-16202", "CVE-2017-16058", "CVE-2017-16056", "CVE-2017-16049", "CVE-2017-16057", "CVE-2017-16066", "CVE-2017-16070", "CVE-2017-16068", "CVE-2017-16207", "CVE-2017-16060", "CVE-2017-16081", "CVE-2017-16063", "CVE-2017-16046", "CVE-2017-16067", "CVE-2017-16055", "CVE-2017-16052", "CVE-2017-16047", "CVE-2017-16203", "CVE-2017-16072", "CVE-2017-16044", "CVE-2017-16077", "CVE-2017-16053", "CVE-2017-16048", "CVE-2017-16075", "CVE-2017-16050", "CVE-2017-16069", "CVE-2017-16061"], "description": "Several npm packages were of malicious nature. npm has since removed them from their registry,\n but the packages could still be installed on a host.", "modified": "2020-04-28T00:00:00", "published": "2018-06-12T00:00:00", "id": "OPENVAS:1361412562310113208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113208", "type": "openvas", "title": "Malicious npm package detection", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113208\");\n script_version(\"2020-04-28T10:39:00+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-28 10:39:00 +0000 (Tue, 28 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-12 13:13:13 +0200 (Tue, 12 Jun 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2017-16044\", \"CVE-2017-16045\", \"CVE-2017-16046\", \"CVE-2017-16047\", \"CVE-2017-16048\",\n \"CVE-2017-16049\", \"CVE-2017-16050\", \"CVE-2017-16051\", \"CVE-2017-16052\", \"CVE-2017-16053\",\n \"CVE-2017-16054\", \"CVE-2017-16055\", \"CVE-2017-16056\", \"CVE-2017-16057\", \"CVE-2017-16058\",\n \"CVE-2017-16059\", \"CVE-2017-16060\", \"CVE-2017-16061\", \"CVE-2017-16062\", \"CVE-2017-16063\",\n \"CVE-2017-16064\", \"CVE-2017-16065\", \"CVE-2017-16066\", \"CVE-2017-16067\", \"CVE-2017-16068\",\n \"CVE-2017-16069\", \"CVE-2017-16070\", \"CVE-2017-16071\", \"CVE-2017-16072\", \"CVE-2017-16073\",\n \"CVE-2017-16074\", \"CVE-2017-16075\", \"CVE-2017-16076\", \"CVE-2017-16077\", \"CVE-2017-16078\",\n \"CVE-2017-16079\", \"CVE-2017-16080\", \"CVE-2017-16081\", \"CVE-2017-16202\", \"CVE-2017-16203\",\n \"CVE-2017-16204\", \"CVE-2017-16205\", \"CVE-2017-16206\", \"CVE-2017-16207\");\n script_name(\"Malicious npm package detection\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_npm_packages_detect_ssh.nasl\");\n script_mandatory_keys(\"ssh/login/npm_packages/detected\");\n\n script_tag(name:\"summary\", value:\"Several npm packages were of malicious nature. npm has since removed them from their registry,\n but the packages could still be installed on a host.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a malicious npm package is present on the target host.\");\n\n script_tag(name:\"impact\", value:\"The packages mostly extract information from environment variables,\n while some create a remote shell or a command-and-control infrastructure, completely comprising the target host.\");\n\n script_tag(name:\"affected\", value:\"The following packages are affected:\n\n - npm-script-demo\n\n - pandora-doomsday\n\n - botbait\n\n - d3.js\n\n - jquery.js\n\n - mariadb\n\n - mysqljs\n\n - node-sqlite\n\n - nodesqlite\n\n - sqlite.js\n\n - sqliter\n\n - node-fabric\n\n - fabric-js\n\n - nodefabric\n\n - sqlserver\n\n - mssql.js\n\n - nodemssql\n\n - gruntcli\n\n - mssql-node\n\n - babelcli\n\n - tkinter\n\n - node-tkinter\n\n - node-opensl\n\n - node-openssl\n\n - openssl.js\n\n - opencv.js\n\n - node-opencv\n\n - ffmepg\n\n - nodeffmpeg\n\n - nodecaffe\n\n - nodemailer-js\n\n - nodemailer.js\n\n - noderequest\n\n - crossenv\n\n - http-proxy.js\n\n - proxy.js\n\n - mongose\n\n - shadowsock\n\n - smb\n\n - nodesass\n\n - cross-env.js\n\n - cofee-script, cofeescript, coffescript, coffe-script\n\n - jquey\n\n - discordi.js\n\n - hooka-tools\n\n - getcookies\n\n - nothing-js\n\n - ladder-text-js\n\n - boogeyman\n\n - flatmap-stream\");\n\n script_tag(name:\"solution\", value:\"- Delete the package\n\n - Clear your npm cache\n\n - Ensure it is not present in any other package.json files on your system\n\n - Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.\");\n\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/480\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/481\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/482\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/483\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/484\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/485\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/486\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/487\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/488\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/489\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/490\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/491\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/492\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/493\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/494\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/495\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/496\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/497\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/498\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/499\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/500\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/501\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/502\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/503\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/504\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/505\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/506\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/507\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/508\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/509\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/510\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/511\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/512\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/513\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/514\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/515\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/516\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/517\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/518\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/519\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/520\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/540\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/541\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/542\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/543\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/544\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/545\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/549\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/649\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/650\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/651\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/677\");\n script_xref(name:\"URL\", value:\"https://www.npmjs.com/advisories/737\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\nif( ! locations = get_kb_list( \"ssh/login/npm_packages/locations\" ) )\n exit( 0 );\n\nnpms = \"\";\n\nforeach location( locations ) {\n if( ! buf = get_kb_item( \"ssh/login/npm_packages\" + location ) )\n continue;\n if( npms == \"\" )\n npms = buf;\n else\n npms += '\\n' + buf;\n npms += \" (Location: \" + location + \")\";\n}\n\nif( npms == \"\" )\n exit( 0 );\n\n# TODO: Update to allow specifying a version regex, some of the advisories are\n# mentioning just some specific versions\nmalicious_packages = make_list( 'd3.js', 'jquery.js', 'mariadb', 'mysqljs', 'node-sqlite',\n 'nodesqlite', 'sqlite.js', 'sqliter', 'node-fabric', 'fabric-js',\n 'nodefabric', 'sqlserver', 'mssql.js', 'nodemssql', 'gruntcli',\n 'mssql-node', 'babelcli', 'tkinter', 'node-tkinter', 'node-opensl',\n 'node-openssl', 'openssl.js', 'opencv.js', 'node-opencv', 'ffmpeg',\n 'nodeffmpeg', 'nodecaffe', 'nodemailer-js', 'nodemailer.js', 'noderequest',\n 'crossenv', 'http-proxy.js', 'proxy.js', 'mongose', 'shadowsock',\n 'smb', 'nodesass', 'cross-env.js', 'cofee-script', 'cofeescript',\n 'coffescript', 'coffe-script', 'jquey', 'discordi.js', 'npm-script-demo',\n 'pandora-doomsday', 'botbait', 'hooka-tools', 'getcookies', 'nothing-js',\n 'ladder-text-js', 'boogeyman', 'flatmap-stream' );\n\nvuln_text = NULL; # nb: To make openvas-nasl-lint happy...\n\nforeach pkg( malicious_packages ) {\n _pkg = str_replace( find:\".\", string:pkg, replace:\"\\.\" );\n matches = eregmatch( pattern:' (' + _pkg + ')@[0-9.]+.*( \\\\(Location: [^)]+\\\\))', string:npms );\n if( ! isnull( matches[1] ) ) {\n if( isnull( vuln_text ) ) {\n vuln_text = ' - ' + pkg;\n } else {\n vuln_text += '\\n - ' + pkg;\n }\n vuln_text += matches[2];\n }\n}\n\nif( vuln_text ) {\n report = 'The following malicious packages were found on the target host:\\n\\n' + vuln_text;\n security_message( data:report, port:0 );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}