GHSA-wxrm-2h86-v95f

Source

https://github.com/advisories/GHSA-wxrm-2h86-v95f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-wxrm-2h86-v95f/GHSA-wxrm-2h86-v95f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wxrm-2h86-v95f

Published

2020-09-03T21:04:20Z

Modified

2021-09-29T20:45:26Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious Package in pizza-pasta

Details

Version 1.0.3 of pizza-pasta contains malicious code as a install scripts. The package created folders in the system's Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console.

Recommendation

Remove the package from your environment. There are no evidences of further compromise.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:50:44Z",
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-506"
    ]
}

References

https://www.npmjs.com/advisories/1196

Affected packages

npm / pizza-pasta

Package

Name: pizza-pasta; View open source insights on deps.dev
Purl: pkg:npm/pizza-pasta

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-wxrm-2h86-v95f/GHSA-wxrm-2h86-v95f.json"