GHSA-6mrq-7r7m-hh4p

Source

https://github.com/advisories/GHSA-6mrq-7r7m-hh4p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6mrq-7r7m-hh4p/GHSA-6mrq-7r7m-hh4p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6mrq-7r7m-hh4p

Published

2020-09-03T22:52:58Z

Modified

2021-09-30T16:21:58Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious Package in hs-sha3

Details

Version 0.8.0 contained malicious code. The package targeted the Ethereum cryptocurrency and performed transactions to wallets not controlled by the user.

Recommendation

Remove the package from your environment. Ensure no Ethereum funds were compromised.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-506"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:53:24Z"
}

References

https://www.npmjs.com/advisories/1275

Affected packages

npm / hs-sha3

Package

Name: hs-sha3; View open source insights on deps.dev
Purl: pkg:npm/hs-sha3

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0