GHSA-5wq6-v5cw-jvfr

Source

https://github.com/advisories/GHSA-5wq6-v5cw-jvfr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-5wq6-v5cw-jvfr/GHSA-5wq6-v5cw-jvfr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5wq6-v5cw-jvfr

Published

2020-09-03T23:03:36Z

Modified

2021-09-30T17:12:55Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious Package in js-shas

Details

Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-506"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:53:46Z"
}

References

https://www.npmjs.com/advisories/1285

Affected packages

npm / js-shas

Package

Name: js-shas; View open source insights on deps.dev
Purl: pkg:npm/js-shas

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0