GHSA-w6xj-45gv-fw35

Suggest an improvement
Source
https://github.com/advisories/GHSA-w6xj-45gv-fw35
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w6xj-45gv-fw35/GHSA-w6xj-45gv-fw35.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w6xj-45gv-fw35
Published
2020-09-02T15:57:06Z
Modified
2023-07-27T20:12:24Z
Summary
Malicious Package in stream-combine
Details

Version 2.0.2 of stream-combine has malicious code design to steal credentials and credit card information. The code searches all form elements for passwords, credit card numbers and CVC codes. It then uploads the information to a remote server using HTML links embedded in the page or form actions. If your application has Content Security Policy set you are not affected by this issue.

Recommendation

This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen.

Users may consider downgrading to version 2.0.1

References

Affected packages

npm / stream-combine

Package

Affected ranges

Affected versions

2.*

2.0.2