Malicious Package Affecting stream-combine package, versions =2.0.2
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-STREAMCOMBINE-173670
- published 10 Feb 2019
- disclosed 25 Jan 2019
- credit Yeiniel Suarez Sosa
How to fix?
Avoid using stream-combine altogether.
Overview
stream-combine is a malicious package that merged chronological time-based streams.
The code contains malicious functions design to steal credentials and credit card information by searching different forms of passwords, credit card numbers and CVC codes. Then, the information is being uploaded to a remote server using HTML links embedded in the page or form actions. Note: If your application has Content Security Policy set you are not affected by this issue.