GHSA-w6xj-45gv-fw35

Source

https://github.com/advisories/GHSA-w6xj-45gv-fw35

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w6xj-45gv-fw35/GHSA-w6xj-45gv-fw35.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w6xj-45gv-fw35

Published

2020-09-02T15:57:06Z

Modified

2023-07-27T20:12:24Z

Summary

Malicious Package in stream-combine

Details

Version 2.0.2 of stream-combine has malicious code design to steal credentials and credit card information. The code searches all form elements for passwords, credit card numbers and CVC codes. It then uploads the information to a remote server using HTML links embedded in the page or form actions. If your application has Content Security Policy set you are not affected by this issue.

Recommendation

This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen.

Users may consider downgrading to version 2.0.1

Database specific

{
    "github_reviewed_at": "2020-08-31T18:35:17Z",
    "cwe_ids": [],
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

https://www.npmjs.com/advisories/774

Affected packages

npm / stream-combine

Package

Name: stream-combine; View open source insights on deps.dev
Purl: pkg:npm/stream-combine

Affected ranges

Affected versions

2.*

2.0.2