GHSA-7cgc-fjv4-52x6

Source
https://github.com/advisories/GHSA-7cgc-fjv4-52x6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-7cgc-fjv4-52x6/GHSA-7cgc-fjv4-52x6.json
Published
2023-05-24T16:43:58Z
Modified
2023-05-24T16:43:58Z
Details

Impact

bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer.

Patches

v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.

References

Affected packages

npm / bignum

Package

Name
bignum

Affected ranges

Type
SEMVER
Events
Introduced
0.12.2
Fixed
0.13.1