Malicious Package

Affecting load-from-cwd-or-npm package, versions >=3.0.2 <3.0.4

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

load-from-cwd-or-npm is a package that can be used to load a module from either CWD or npm CLI directory.

Affected versions of this package are Malicious. Version 3.0.2 of the packge was found to contain malicous code. The malicious code when executed, breaks functionality of the purescript-installer package by injecting targeted code.

Remediation

Avoid using load-from-cwd-or-npm version 3.0.2 altogether. Furthermore, upgrade load-from-cwd-or-npm to version 3.0.4 or higher.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Harry Garood
CWE
CWE-506
Snyk ID
SNYK-JS-LOADFROMCWDORNPM-451650
Disclosed
17 Jul, 2019
Published
18 Jul, 2019