GHSA-9hc2-w9gg-q6jw

Опубликовано: 01 сент. 2020

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Malicious Package in boogeyman

All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account.

Recommendation

This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.

Ссылки

https://www.npmjs.com/advisories/677

Пакеты

Наименование

boogeyman

npm

Затронутые версииВерсия исправления

>= 0.0.0

Отсутствует

9.8 Critical

CVSS3

Дефекты

CWE-506

9.8 Critical

CVSS3

Дефекты

CWE-506