CWE-506
Allowed-with-ReviewEmbedded Malicious Code
Abstraction: Class · Status: Incomplete
The product contains code that appears to be malicious in nature.
525 vulnerabilities reference this CWE, most recent first.
GHSA-VP8G-53FW-R9F2
Vulnerability from github – Published: 2020-09-01 19:54 – Updated: 2021-09-24 17:28Version 0.0.3 of dynamo-schema contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=
Recommendation
If version 0.0.3 of this module is found installed you will want to replace it with a version before or after 0.0.3. In addition to replacing the installed module, you will also want to evaluate your application to determine whether or not user data was compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dynamo-schema"
},
"versions": [
"0.0.3"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:30:24Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 0.0.3 of `dynamo-schema` contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to `https://js-metrics.com/minjs.php?pl=`\n\n\n\n## Recommendation\n\nIf version 0.0.3 of this module is found installed you will want to replace it with a version before or after 0.0.3. In addition to replacing the installed module, you will also want to evaluate your application to determine whether or not user data was compromised.",
"id": "GHSA-vp8g-53fw-r9f2",
"modified": "2021-09-24T17:28:16Z",
"published": "2020-09-01T19:54:44Z",
"references": [
{
"type": "PACKAGE",
"url": "https://github.com/andrewjstone/dynamo-schema"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DYNAMOSCHEMA-450992"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/626"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in dynamo-schema"
}
GHSA-VRXJ-4QHW-5VWQ
Vulnerability from github – Published: 2020-09-03 17:03 – Updated: 2021-10-04 14:29All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "scryptys"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:58:12Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-vrxj-4qhw-5vwq",
"modified": "2021-10-04T14:29:03Z",
"published": "2020-09-03T17:03:41Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in scryptys"
}
GHSA-VV52-3MRP-455M
Vulnerability from github – Published: 2020-09-03 15:53 – Updated: 2020-08-31 19:01All versions of m-backdoor contain malicious code. The package downloads a file from a remote server and executes it as a preinstall script. At the time of the release of this advisory the downloaded file only defaces websites by removing elements randomly from the DOM.
Recommendation
Remove the package from your system.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "m-backdoor"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T19:01:56Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of `m-backdoor` contain malicious code. The package downloads a file from a remote server and executes it as a preinstall script. At the time of the release of this advisory the downloaded file only defaces websites by removing elements randomly from the DOM. \n\n\n## Recommendation\n\nRemove the package from your system.",
"id": "GHSA-vv52-3mrp-455m",
"modified": "2020-08-31T19:01:56Z",
"published": "2020-09-03T15:53:36Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1513"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Malicious Package in m-backdoor"
}
GHSA-VV6Q-9CFW-4C83
Vulnerability from github – Published: 2018-08-29 23:20 – Updated: 2023-09-12 18:30The smb package is a piece of malware that steals environment variables and sends them to attacker controlled locations.
All versions have been unpublished from the npm registry.
Recommendation
As this package is malware, if you find it installed in your environment, the real security concern is determining how it got there.
If you have found this installed in your environment, you should: 1. Delete the package 2. Clear your npm cache 3. Ensure it is not present in any other package.json files on your system 4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.
Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "smb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16079"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:58:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The `smb` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.",
"id": "GHSA-vv6q-9cfw-4c83",
"modified": "2023-09-12T18:30:03Z",
"published": "2018-08-29T23:20:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16079"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vv6q-9cfw-4c83"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/518"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "smb is malware"
}
GHSA-VV7G-PJW9-4QJ9
Vulnerability from github – Published: 2020-09-03 17:03 – Updated: 2021-10-04 15:24All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "scrytsy"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:58:14Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-vv7g-pjw9-4qj9",
"modified": "2021-10-04T15:24:14Z",
"published": "2020-09-03T17:03:56Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in scrytsy"
}
GHSA-VVFH-MVJV-W38Q
Vulnerability from github – Published: 2020-09-04 15:28 – Updated: 2021-10-01 20:17All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "babel-loadre"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:55:57Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-vvfh-mvjv-w38q",
"modified": "2021-10-01T20:17:42Z",
"published": "2020-09-04T15:28:19Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1349"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in babel-loadre"
}
GHSA-VWVP-P3CC-RRJ2
Vulnerability from github – Published: 2025-10-09 00:31 – Updated: 2025-10-09 00:31Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake “repair” alerts that redirected users to affiliate programs, and attempted to harvest credentials when users logged in. Injected components enumerate common banner sizes for substitution, replace third-party ad calls, and redirect victim traffic to affiliate landing pages. Potential impacts include user-level code execution in the browser context, large-scale ad fraud and traffic hijacking, credential theft, and exposure to additional payloads delivered by the actor. The compromise was reported on by the maintainer of Web Developer for Chrome on August 2, 2017 and remediated in v0.5.0.
{
"affected": [],
"aliases": [
"CVE-2017-20202"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-08T22:15:31Z",
"severity": "CRITICAL"
},
"details": "Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake \u201crepair\u201d alerts that redirected users to affiliate programs, and attempted to harvest credentials when users logged in. Injected components enumerate common banner sizes for substitution, replace third-party ad calls, and redirect victim traffic to affiliate landing pages. Potential impacts include\u00a0user-level code execution in the browser context, large-scale ad fraud and traffic hijacking, credential theft, and exposure to additional payloads delivered by the actor.\u00a0The compromise was reported on by the maintainer of Web Developer for Chrome on August 2, 2017 and remediated in v0.5.0.",
"id": "GHSA-vwvp-p3cc-rrj2",
"modified": "2025-10-09T00:31:06Z",
"published": "2025-10-09T00:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20202"
},
{
"type": "WEB",
"url": "https://chromewebstore.google.com/detail/web-developer/bfbameneiokkgbdmiekhjnmfkcnldhhm?pli=1"
},
{
"type": "WEB",
"url": "https://gist.github.com/piedpiperRichard/076516da60f45842f1a6e6ae35a9a240"
},
{
"type": "WEB",
"url": "https://ui.vision/blog/chrome-extension-adware"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20170803163618/https://chrispederick.com/blog/web-developer-for-chrome-compromised"
},
{
"type": "WEB",
"url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/web-developer-for-chrome-malicious-backdoor-supply-chain-compromise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VXFP-QMPQ-6826
Vulnerability from github – Published: 2020-09-03 17:38 – Updated: 2021-09-30 19:46All versions of hpmm contain malicious code. The package uploads system information to a remote server, downloads a file and executes it.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hpmm"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:45:36Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of `hpmm` contain malicious code. The package uploads system information to a remote server, downloads a file and executes it.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-vxfp-qmpq-6826",
"modified": "2021-09-30T19:46:35Z",
"published": "2020-09-03T17:38:09Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1053"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in hpmm"
}
GHSA-W37P-236H-PFX3
Vulnerability from github – Published: 2026-05-07 00:52 – Updated: 2026-06-08 23:12Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions
Published: 2026-04-30
Last Updated: 2026-05-12
Github Advisory: CVE-2026-44484
We have identified a security incident affecting certain versions of one of our PyPI packages.
What happened
We have determined that one or more released versions of this package have been compromised and include malicious code.
Our current investigation indicates that the affected versions have introduced functionality consistent with a credential harvesting mechanism. We are still actively analysing the scope and behaviour of the code.
At this stage, the root cause of the compromise is still under investigation.
What versions are affected
We are currently working to confirm the exact set of impacted versions.
We have determined the following versions as affected and ask that you delete them from your systems:
2.6.22.6.3
We will update this advisory if the versions impacted by this vulnerability change.
What you should do immediately
If you have installed or are running any potentially affected versions:
- Assume the environment may be compromised
- Immediately rotate all credentials and secrets that may have been exposed, including:
- API keys
- Access tokens
- SSH keys
- Service account credentials
- Rebuild affected systems from a known clean state
- Pin PyTorch Lightning to version
2.6.1 - Review logs for any suspicious or unauthorised activity
Actions we have taken
- Quarantined malicious versions from PyPI
- Recommend using version
2.6.1: https://github.com/Lightning-AI/pytorch-lightning/releases/tag/2.6.1 - Revoked and rotated all internal credentials associated with our release process
- Initiated a full investigation into the compromise
Ongoing investigation
We are actively working to:
- Identify the exact mechanism of compromise
- Confirm the full set of affected versions
- Determine the behaviour and impact of the malicious code
- Assess any downstream impact to users
We will provide updates as soon as more information becomes available.
Commitment to transparency
We take the security of our users and the integrity of our software supply chain extremely seriously.
We will continue to share timely and accurate updates as our investigation progresses.
Contact
If you have questions or believe you may be impacted, please contact us at:
security@lightning.ai
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pytorch-lightning"
},
"versions": [
"2.6.2"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pytorch-lightning"
},
"versions": [
"2.6.3"
]
}
],
"aliases": [
"CVE-2026-44484"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:52:55Z",
"nvd_published_at": "2026-05-14T15:16:48Z",
"severity": "CRITICAL"
},
"details": "# Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions\n\n**Published:** 2026-04-30 \n**Last Updated:** 2026-05-12 \n\n**Github Advisory:** [CVE-2026-44484](https://github.com/advisories/GHSA-w37p-236h-pfx3)\n\nWe have identified a security incident affecting certain versions of one of our PyPI packages.\n\n## What happened\n\nWe have determined that one or more released versions of this package have been compromised and include malicious code.\n\nOur current investigation indicates that the affected versions have introduced functionality consistent with a credential harvesting mechanism. We are still actively analysing the scope and behaviour of the code.\n\nAt this stage, the root cause of the compromise is still under investigation.\n\n## What versions are affected\n\nWe are currently working to confirm the exact set of impacted versions.\n\nWe have determined the following versions as affected and ask that you delete them from your systems:\n\n- `2.6.2`\n- `2.6.3`\n\nWe will update this advisory if the versions impacted by this vulnerability change.\n\n## What you should do immediately\n\nIf you have installed or are running any potentially affected versions:\n\n- Assume the environment may be compromised \n- Immediately rotate all credentials and secrets that may have been exposed, including: \n - API keys \n - Access tokens \n - SSH keys \n - Service account credentials \n- Rebuild affected systems from a known clean state \n- Pin PyTorch Lightning to version `2.6.1` \n- Review logs for any suspicious or unauthorised activity \n\n## Actions we have taken\n\n- Quarantined malicious versions from PyPI \n- Recommend using version `2.6.1`: https://github.com/Lightning-AI/pytorch-lightning/releases/tag/2.6.1 \n- Revoked and rotated all internal credentials associated with our release process \n- Initiated a full investigation into the compromise \n\n## Ongoing investigation\n\nWe are actively working to:\n\n- Identify the exact mechanism of compromise \n- Confirm the full set of affected versions \n- Determine the behaviour and impact of the malicious code \n- Assess any downstream impact to users \n\nWe will provide updates as soon as more information becomes available.\n\n## Commitment to transparency\n\nWe take the security of our users and the integrity of our software supply chain extremely seriously.\n\nWe will continue to share timely and accurate updates as our investigation progresses.\n\n## Contact\n\nIf you have questions or believe you may be impacted, please contact us at:\n\n**security@lightning.ai**",
"id": "GHSA-w37p-236h-pfx3",
"modified": "2026-06-08T23:12:39Z",
"published": "2026-05-07T00:52:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Lightning-AI/pytorch-lightning/security/advisories/GHSA-w37p-236h-pfx3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44484"
},
{
"type": "PACKAGE",
"url": "https://github.com/Lightning-AI/pytorch-lightning"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Compromise of PyTorch Lightning PyPi Package Versions"
}
GHSA-W3F3-4J22-2V3P
Vulnerability from github – Published: 2020-09-02 21:27 – Updated: 2021-09-30 21:25The package destroyer-of-worlds contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX systems.
Recommendation
Remove the package from your environment and perform additional incident response on your system's files and processes.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "destroyer-of-worlds"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:39:31Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The package `destroyer-of-worlds` contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX systems.\n\n\n## Recommendation\n\nRemove the package from your environment and perform additional incident response on your system\u0027s files and processes.",
"id": "GHSA-w3f3-4j22-2v3p",
"modified": "2021-09-30T21:25:19Z",
"published": "2020-09-02T21:27:02Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/890"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in destroyer-of-worlds"
}
Mitigation
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.