CWE-506
Allowed-with-ReviewEmbedded Malicious Code
Abstraction: Class · Status: Incomplete
The product contains code that appears to be malicious in nature.
525 vulnerabilities reference this CWE, most recent first.
GHSA-F72H-WF57-7XWH
Vulnerability from github – Published: 2020-09-03 21:58 – Updated: 2021-09-29 21:04Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "buffer-xo2"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:52:17Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-f72h-wf57-7xwh",
"modified": "2021-09-29T21:04:48Z",
"published": "2020-09-03T21:58:34Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1248"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in buffer-xo2"
}
GHSA-F7G4-FM4C-54M9
Vulnerability from github – Published: 2020-09-03 21:06 – Updated: 2021-09-29 20:45Version 2.0.2 of yoeman-generator contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens a backdoor.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "yeoman-genrator"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:50:49Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 2.0.2 of `yoeman-generator` contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens a backdoor.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-f7g4-fm4c-54m9",
"modified": "2021-09-29T20:45:57Z",
"published": "2020-09-03T21:06:31Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in yeoman-genrator"
}
GHSA-F7GC-6HCJ-WC42
Vulnerability from github – Published: 2020-09-03 17:05 – Updated: 2021-10-01 21:03All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "path-to-regxep"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:57:58Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-f7gc-6hcj-wc42",
"modified": "2021-10-01T21:03:55Z",
"published": "2020-09-03T17:05:06Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1401"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in path-to-regxep"
}
GHSA-F8JJ-45FJ-44R6
Vulnerability from github – Published: 2020-09-03 23:05 – Updated: 2021-09-30 17:13Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "js-she3"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:53:51Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-f8jj-45fj-44r6",
"modified": "2021-09-30T17:13:39Z",
"published": "2020-09-03T23:05:43Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1287"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in js-she3"
}
GHSA-F8Q5-H5QH-33MH
Vulnerability from github – Published: 2026-03-11 22:18 – Updated: 2026-03-11 22:18Description
On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch.
However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the unmerged PRs. This commit remained in the repository's git object store, and any workflow referencing @v5 would fetch and execute it.
The malicious code, disguised as a "scanner version telemetry" step, operates as follows:
- Registers the CI runner with a C2 server at
91.214.78.178(viasecurity-verify.91.214.78.178.nip.io), transmitting hostname, username, and OS version. - Polls the C2 server every 2–7 seconds for 180 seconds, receiving and executing arbitrary shell commands via
eval. - Compresses and base64-encodes command output before exfiltrating it back to the C2 server.
The implant runs silently in the background alongside the legitimate scan, suppresses all errors, skips TLS certificate verification, and uses randomized polling intervals to evade detection.
Impact
This is a supply chain compromise via tag poisoning. Any GitHub Actions workflow referencing xygeni/xygeni-action@v5 during the affected window (approximately March 3–10, 2026) executed a C2 implant that granted the attacker arbitrary command execution on the CI runner for up to 180 seconds per workflow run.
The severity is set to Critical based on the potential impact. However, several factors reduce the realized risk: the v5 tag was primarily referenced by Xygeni-owned and Xygeni-affiliated repositories; no external public repositories were found using the compromised tag (though usage in private repositories cannot be ruled out); the exposure window was approximately 6 days; and no confirmed exploitation of downstream users has been established to date.
Patches
The compromised v5 tag has been removed from the repository. Users should update their workflows to pin to the verified safe commit SHA corresponding to v6.4.0:
uses: xygeni/xygeni-action@13c6ed2797df7d85749864e2cbcf09c893f43b23 # v6.4.0
Workflows still referencing @v5 will fail with a reference not found error, as the tag no longer exists.
If your workflows ran with @v5 during the affected window, you should also:
- Rotate all secrets that were available to the CI runner (repository secrets, environment secrets, deploy keys, cloud provider tokens).
- Audit CI logs for outbound connections to
91.214.78.178or DNS lookups forsecurity-verify.91.214.78.178.nip.io. - Review recent releases and published artifacts for signs of tampering.
Workarounds
As an alternative to using the GitHub Action, you may install and run the Xygeni scanner directly via the CLI installation method documented at https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-installation. This bypasses the GitHub Action entirely and is not affected by this incident.
References
- GitHub issue: https://github.com/xygeni/xygeni-action/issues/54
- Xygeni incident blog post: (URL to be added upon publication)
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "xygeni/xygeni-action"
},
"ranges": [
{
"events": [
{
"introduced": "5"
},
{
"fixed": "6.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31976"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T22:18:44Z",
"nvd_published_at": "2026-03-11T20:16:17Z",
"severity": "CRITICAL"
},
"details": "### Description\n\nOn March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into `action.yml`. The PRs were blocked by branch protection rules and never merged into the main branch.\n\nHowever, the attacker used the compromised GitHub App credentials to move the mutable `v5` tag to point at the malicious commit (`4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12`) from one of the unmerged PRs. This commit remained in the repository\u0027s git object store, and any workflow referencing `@v5` would fetch and execute it.\n\nThe malicious code, disguised as a \"scanner version telemetry\" step, operates as follows:\n\n1. Registers the CI runner with a C2 server at `91.214.78.178` (via `security-verify.91.214.78.178.nip.io`), transmitting hostname, username, and OS version.\n2. Polls the C2 server every 2\u20137 seconds for 180 seconds, receiving and executing arbitrary shell commands via `eval`.\n3. Compresses and base64-encodes command output before exfiltrating it back to the C2 server.\n\nThe implant runs silently in the background alongside the legitimate scan, suppresses all errors, skips TLS certificate verification, and uses randomized polling intervals to evade detection.\n\n### Impact\n\nThis is a supply chain compromise via tag poisoning. Any GitHub Actions workflow referencing `xygeni/xygeni-action@v5` during the affected window (approximately March 3\u201310, 2026) executed a C2 implant that granted the attacker arbitrary command execution on the CI runner for up to 180 seconds per workflow run.\n\nThe severity is set to Critical based on the potential impact. However, several factors reduce the realized risk: the `v5` tag was primarily referenced by Xygeni-owned and Xygeni-affiliated repositories; no external public repositories were found using the compromised tag (though usage in private repositories cannot be ruled out); the exposure window was approximately 6 days; and no confirmed exploitation of downstream users has been established to date.\n\n### Patches\n\nThe compromised `v5` tag has been removed from the repository. Users should update their workflows to pin to the verified safe commit SHA corresponding to v6.4.0:\n\n```yaml\nuses: xygeni/xygeni-action@13c6ed2797df7d85749864e2cbcf09c893f43b23 # v6.4.0\n```\n\nWorkflows still referencing `@v5` will fail with a reference not found error, as the tag no longer exists.\n\nIf your workflows ran with `@v5` during the affected window, you should also:\n\n- Rotate all secrets that were available to the CI runner (repository secrets, environment secrets, deploy keys, cloud provider tokens).\n- Audit CI logs for outbound connections to `91.214.78.178` or DNS lookups for `security-verify.91.214.78.178.nip.io`.\n- Review recent releases and published artifacts for signs of tampering.\n\n\n### Workarounds\n\nAs an alternative to using the GitHub Action, you may install and run the Xygeni scanner directly via the CLI installation method documented at https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-installation. This bypasses the GitHub Action entirely and is not affected by this incident.\n\n### References\n\n- GitHub issue: https://github.com/xygeni/xygeni-action/issues/54\n- Xygeni incident blog post: (URL to be added upon publication)",
"id": "GHSA-f8q5-h5qh-33mh",
"modified": "2026-03-11T22:18:44Z",
"published": "2026-03-11T22:18:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xygeni/xygeni-action/security/advisories/GHSA-f8q5-h5qh-33mh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31976"
},
{
"type": "WEB",
"url": "https://github.com/xygeni/xygeni-action/issues/54"
},
{
"type": "PACKAGE",
"url": "https://github.com/xygeni/xygeni-action"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "xygeni-action v5 tag poisoned with C2 backdoor"
}
GHSA-F8VF-6HWG-HW55
Vulnerability from github – Published: 2020-09-04 15:38 – Updated: 2021-10-01 20:38All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "bictore-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:56:16Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-f8vf-6hwg-hw55",
"modified": "2021-10-01T20:38:33Z",
"published": "2020-09-04T15:38:21Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1357"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in bictore-lib"
}
GHSA-FF6G-GM92-RF32
Vulnerability from github – Published: 2020-09-03 19:42 – Updated: 2021-10-01 20:58All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "coinstirng"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:57:16Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-ff6g-gm92-rf32",
"modified": "2021-10-01T20:58:19Z",
"published": "2020-09-03T19:42:06Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in coinstirng"
}
GHSA-FGP6-8G62-QX6W
Vulnerability from github – Published: 2020-09-03 17:01 – Updated: 2021-09-30 21:58All versions of smartsearchwp contain malicious code. The package is malware intended to steal credentials from websites it is loaded in. It traverses DOM elements looking for fields such as username and password and uploads it to a remote server. The package also port-scans the local gateway and uploads the information to the remote server. It has a feature to fetch commands from the remote server and execute them with eval. The npm security team analysis found several bugs in the malware that prevent it from actually performing its actions. The malicious code is also not invoked upon installation or require; it would require transpiling TypeScript code and using it in a website.
Recommendation
Remove the package from your environment. There is no indication of further compromise.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "smartsearchwp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:44:01Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of `smartsearchwp` contain malicious code. The package is malware intended to steal credentials from websites it is loaded in. It traverses DOM elements looking for fields such as `username` and `password` and uploads it to a remote server. The package also port-scans the local gateway and uploads the information to the remote server. It has a feature to fetch commands from the remote server and execute them with `eval`. The npm security team analysis found several bugs in the malware that prevent it from actually performing its actions. The malicious code is also not invoked upon installation or require; it would require transpiling TypeScript code and using it in a website.\n\n\n\n## Recommendation\n\nRemove the package from your environment. There is no indication of further compromise.",
"id": "GHSA-fgp6-8g62-qx6w",
"modified": "2021-09-30T21:58:23Z",
"published": "2020-09-03T17:01:45Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in smartsearchwp"
}
GHSA-FM7R-2PR7-RW2P
Vulnerability from github – Published: 2020-09-02 21:45 – Updated: 2021-09-30 21:57Version 3.1.1 of yeoman-genrator contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens a backdoor.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "yeoman-genrator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:40:18Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 3.1.1 of `yeoman-genrator` contains malicious code as a preinstall script. The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When installed, the package downloads a file from a remote server, executes it and opens a backdoor.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-fm7r-2pr7-rw2p",
"modified": "2021-09-30T21:57:05Z",
"published": "2020-09-02T21:45:02Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/912"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in yeoman-genrator"
}
GHSA-FPF2-PR3J-4CM3
Vulnerability from github – Published: 2020-09-03 17:06 – Updated: 2021-10-01 21:01All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ecruve"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:57:43Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-fpf2-pr3j-4cm3",
"modified": "2021-10-01T21:01:31Z",
"published": "2020-09-03T17:06:06Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1395"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in ecruve"
}
Mitigation
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.