Malicious Package

Affecting stream-combine package, versions =2.0.2

Overview

stream-combine is a malicious package that merged chronological time-based streams.

The code contains malicious functions design to steal credentials and credit card information by searching different forms of passwords, credit card numbers and CVC codes. Then, the information is being uploaded to a remote server using HTML links embedded in the page or form actions. Note: If your application has Content Security Policy set you are not affected by this issue.

Remediation

Avoid using stream-combine altogether.

References

Do your applications use this vulnerable package?

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Yeiniel Suarez Sosa
CWE
CWE-506
Snyk ID
SNYK-JS-STREAMCOMBINE-173670
Disclosed
25 Jan, 2019
Published
10 Feb, 2019