Skip to content

Malicious Package in boogeyman

Critical severity GitHub Reviewed Published Sep 1, 2020 • Updated Oct 1, 2021

Package

npm boogeyman (npm)

Affected versions

>= 0.0.0

Patched versions

None

Description

All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account.

Recommendation

This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.

References

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-9hc2-w9gg-q6jw

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.