Malicious Package

Overview This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server. Recommendation Remove the package from your environment. There are no indications of further compromise. References GitHub Advisory...

Malicious Package

Overview Version 1.2.6 of sailclothjs contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's als...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor...

Cross-Site Scripting

Overview Versions of dmn-js-properties-panel prior to 0.8.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website. Recommendation Upgrade to version 0.3.0 ...

Path Traversal

Overview All versions of http-file-server are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths. Recommendation No fix is currently available. Consider using an alternative package until a...

Malicious Package

Overview All versions of nodes.js contain malicious code. The package searches and installs globally thousands of packages based on keywords node, react, react-native, vue, angular and babel to fill the system's memory. Recommendation Remove the package from your environment and validate what...

Malicious Package

Overview All versions of tiar contain malicious code. The package uploads system information to a remote server, downloads a file and executes it. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that...

Reverse Tabnabbing

Overview Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks. Recommendation No fix is currently...

Cross-Site Scripting

Overview Versions of @ionic/core prior to 4.0.3, 4.1.3, 4.2.1 or 4.3.1 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. This issue affects the...

SQL Injection

Overview All versions of untitled-model re vulnerable to SQL Injection. Query parameters are not properly sanitized allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation No fix is currently available. Consider using an alternative package until a fix is mad...

Cross-Site Scripting

Overview Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 3.0.13 or later. References - GitHu...

Command Injection

Overview Versions of kill-port prior to 1.3.2 are vulnerable to Command Injection. The package does not validate user input on the kill function. This may allow attackers to run arbitrary commands in the system if user input such as the port number is passed directly to the function. Recommendati...

Malicious Package

Overview Version 1.1.8 of pm-controls contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

Malicious Package

Overview Version 0.1.2 of vue-backbone contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

Malicious Package

Overview Version 1.2.2 of font-scrubber contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd. Recommendation Any computer that has...

Malicious Package

Overview Version 0.0.3 of angluar-cli contains malicious code as a postinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed the package attempts to remove files and stop processes related to McAfee...

Malicious Package

Overview Version 3.3.1 of jqeury contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opened a...

Malicious Package

Overview All versions of whiteproject contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environment...

Cross-Site Scripting

Overview Versions of google-closure-library prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The safedomtreeprocessor.processToString function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting...

Malicious Package

Overview All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of reques typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Malicious Package

Overview All versions of calk typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the...

Arbitrary File Overwrite

Overview Versions of tar prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the...

NoSQL Injection

Overview Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak. Recommendation Upgrade to version 3.6.0 or later. References -...

Malicious Package

Overview All versions of rrgod are considered malicious. The package is malware designed to run arbitrary scripts. When installed, the package downloads an arbitrary file and executes its contents as a pre, post and install scripts. Recommendation This package is not available on the npm Registry...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...

Path Traversal

Overview Versions of cordova-plugin-ionic-webview prior to 2.2.0 are vulnerable to Path Traversal, allowing attackers access to OS local files that should be inaccessible by third-party applications. The package launches a webserver listening on http://localhost:8080 without restricting access of...

Path Traversal

Overview All versions of knightjs are vulnerable to Path Traversal. This vulnerability allows an attacker to read content of arbitrary files on the server due to lack of input validation. Recommendation As there is currently no fix for this module we recommend not using this module in production...

Command Injection

Overview Versions of ascii-art before 1.4.4 are vulnerable to command injection. This is exploitable when user input is passed into the argument of the ascii-art preview command. Example Proof of concept: ascii-art preview 'doom"; touch /tmp/malicious; echo "' Given that the input is passed on th...

Prototype Pollution

Overview All versions of merge-objects are vulnerable to Prototype Pollution. Recommendation No fix is available for this vulnerability at this time. It is our recommendation to use an alternative package. References - HackerOne Report - GitHub Advisory...

Malicious Package

Overview Version 1.0.14 of nginxbeautifier contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.14 of this module is found...

Malicious Package

Overview Version 1.1.7 of impala contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.1.7 of this module is found installed you...

Malicious Package

Overview Version 1.0.2 of csstransformsupport contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 1.0.2 of this module is found...

Malicious Package

Overview Version 4.1.48 of another-date-range-picker contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation If version 4.1.48 of this module is...

Remote Memory Exposure

Overview Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 ...

Memory Exposure

Overview Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.appendnumber in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory Recommendation Update to version 0.9.5, 1.0.1 or later. References - GitHub PR 22 - GitHub...

Malicious Package

Overview All versions of nagibabel contained malicious code. The package ran rm -rf on the current working directory. Recommendation Remove the package from your environment...

Malicious Package

Overview fallguys contained malicious code that attempted to read local sensitive files and exfiltrate information through a Discord webhook. The code attempted to access the following paths available on Windows systems: - /AppData/Local/Google/Chrome/User\x20Data/Default/Local\x20Storage/leveldb...

Information Exposure

Overview Versions of apollo-server-lambda prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relatio...

Information Exposure

Overview Versions of apollo-server-cloud-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Prototype Pollution

Overview Versions of @hapi/subtext prior to 6.1.3 or 7.0.3 are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rul...

Denial of Service

Overview Versions of subtext =4.1.0 are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors as opposed to catching expecte...

Insufficient Entropy

Overview All versions of parsel use an insecure key derivation function. The package runs keys of arbitrary lengths through one round of SHA256 hashing for key stretching. This allows for the use of keys of insufficient entropy with inappropriate key stretching. Recommendation The package is...

Hardcoded Initialization Vector

Overview All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. Recommendation The package is deprecated and will not be updated. Consider...

Command Injection

Overview All versions of meta-git are vulnerable to Command Injection. The package fails to sanitize input and passes it directly to an exec call, which may allow attackers to execute arbitrary code in the system. The clone command is vulnerable through the branch name. Recommendation No fix is...

Symlink reference outside of node_modules

Overview Versions of bin-links prior to 1.1.5 are vulnerable to a Symlink reference outside of nodemodules. It is possible to create symlinks to files outside of thenodemodules folder through the bin field. This may allow attackers to access unauthorized files. Recommendation Upgrade to version...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious 󠅮󠅰󠅭Package

Overview All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets. Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...