GHSA-gwjw-ph82-w683 - Malware in duo_web_sdk

[pidydx]

As far as I can tell duo_web_sdk is deprecated, but it is Duo's code and not malware. https://github.com/duosecurity/duo_web_sdk

Can anyone explain why this advisory exists because the advisory itself has no references and simply claims it is all malware and I can't find any reference anywhere else suggesting that this package has ever been compromised or hijacked.

[darakian]

The advisory refers to the npm package here
https://www.npmjs.com/package/duo_web_sdk
Which indeed has been pulled down.

[KateCatlin]

@pidydx any further questions here or shall we close this issue down?

[pidydx]

@darakian Thanks for the explanation!

@KateCatlin I ran into this problem because npm audit fix blew up on this warning

duo_web_sdk  *
Severity: critical
Malware in duo_web_sdk - https://github.com/advisories/GHSA-gwjw-ph82-w683
No fix available
node_modules/duo_web_sdk

But the package.json involved isn't pointing at that package. https://github.com/bitwarden/clients/blob/e9f0c07b02c539a365bb68c678c31f1ba4e04dd8/package.json#L173C53-L173C53

I'm not super familiar with the npm ecosystem, but it sounds like it might be a bug elsewhere so this is probably fine to close. It might be worth it to add that package link to the advisory to make it clear what the advisory is referring to since duo publishes their own duo_web_sdk. Thanks!

[darakian]

@pidydx Ah, interesting. I think you've stumbled on a bug in npm doing package resolution where it thinks the package is coming from npmjs.com and hence delivers the advisory. I'll forward this along to get it in front of a team that can look into a fix for it 👍

[pidydx]

@KateCatlin should be good, I will close.

@darakian They way I stumble onto bugs this would not surprise me.

Thanks all!