GHSA-FGP6-8G62-QX6W

Vulnerability from github – Published: 2020-09-03 17:01 – Updated: 2021-09-30 21:58
VLAI?
Summary
Malicious Package in smartsearchwp
Details

All versions of smartsearchwp contain malicious code. The package is malware intended to steal credentials from websites it is loaded in. It traverses DOM elements looking for fields such as username and password and uploads it to a remote server. The package also port-scans the local gateway and uploads the information to the remote server. It has a feature to fetch commands from the remote server and execute them with eval. The npm security team analysis found several bugs in the malware that prevent it from actually performing its actions. The malicious code is also not invoked upon installation or require; it would require transpiling TypeScript code and using it in a website.

Recommendation

Remove the package from your environment. There is no indication of further compromise.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "smartsearchwp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:44:01Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "All versions of `smartsearchwp` contain malicious code. The package is malware intended to steal credentials from websites it is loaded in. It traverses DOM elements looking for fields such as `username` and `password` and uploads it to a remote server. The package also port-scans the local gateway and uploads the information to the remote server. It has a feature to fetch commands from the remote server and execute them with `eval`. The npm security team analysis found several bugs in the malware that prevent it from actually performing its actions. The malicious code is also not invoked upon installation or require; it would require transpiling TypeScript code and using it in a website.\n\n\n\n## Recommendation\n\nRemove the package from your environment. There is no indication of further compromise.",
  "id": "GHSA-fgp6-8g62-qx6w",
  "modified": "2021-09-30T21:58:23Z",
  "published": "2020-09-03T17:01:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in smartsearchwp"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.