GHSA-fgp6-8g62-qx6w

Source

https://github.com/advisories/GHSA-fgp6-8g62-qx6w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-fgp6-8g62-qx6w/GHSA-fgp6-8g62-qx6w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fgp6-8g62-qx6w

Published

2020-09-03T17:01:45Z

Modified

2021-09-30T21:58:23Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious Package in smartsearchwp

Details

All versions of smartsearchwp contain malicious code. The package is malware intended to steal credentials from websites it is loaded in. It traverses DOM elements looking for fields such as username and password and uploads it to a remote server. The package also port-scans the local gateway and uploads the information to the remote server. It has a feature to fetch commands from the remote server and execute them with eval. The npm security team analysis found several bugs in the malware that prevent it from actually performing its actions. The malicious code is also not invoked upon installation or require; it would require transpiling TypeScript code and using it in a website.

Recommendation

Remove the package from your environment. There is no indication of further compromise.

Database specific

{
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed_at": "2020-08-31T18:44:01Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-506"
    ]
}

References

https://www.npmjs.com/advisories/1011

Affected packages

npm / smartsearchwp

Package

Name: smartsearchwp; View open source insights on deps.dev
Purl: pkg:npm/smartsearchwp

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected