Malicious Package
Affecting stream-combine package, versions =2.0.2
Overview
stream-combine is a malicious package that merged chronological time-based streams.
The code contains malicious functions design to steal credentials and credit card information by searching different forms of passwords, credit card numbers and CVC codes. Then, the information is being uploaded to a remote server using HTML links embedded in the page or form actions. Note: If your application has Content Security Policy set you are not affected by this issue.
Remediation
Avoid using stream-combine
altogether.
References
Do your applications use this vulnerable package?
CVSS Score
7.5
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityNone
-
AvailabilityNone
- Credit
- Yeiniel Suarez Sosa
- CWE
- CWE-506
- Snyk ID
- SNYK-JS-STREAMCOMBINE-173670
- Disclosed
- 25 Jan, 2019
- Published
- 10 Feb, 2019