Malicious Package Affecting botbait package, versions *
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.08% (35th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:botbait:20170917
- published 17 Sep 2017
- disclosed 8 Aug 2017
- credit Jordan Wright
Introduced: 8 Aug 2017
Malicious CVE-2017-16126 Open this link in a new tabHow to fix?
Avoid usage of this package altogether.
Overview
botbait
is a malicious package that was used to collect download metrics beyond what npm provides, and sent them to google analytics or piwik. This can cause a privacy concern amongst users.
This is especially dangerous in production runtime environments, where environment variables tend to consist of keys, passwords, tokens and other secrets.
Example:
{
"name": "npm_scripts_test_metrics",
"scripts": {
"preinstall": "curl 'http://google-analytics.com/collect?v=1&t=event&tid=....'",
"postinstall": "curl 'http://google-analytics.com/collect?v=1&t=event&tid=....'"
}
},
{
"name": "subtitles-lib",
"scripts": {
"postinstall": "bash -c 'curl \"http://*****.piwikpro.com/piwik.php?idsite=3&rec=1&action_name=$HOSTNAME\"'"
}
}
The list of packages and their scripts are:
npm_scripts_test_metrics
subtitles-lib
ikst
botbait
mktmpio
anarchy