MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd4YzQtNzkzeC0yNWpw

Critical

Permalink JSON

Malicious Package in bpi66

Affected Packages	Affected Versions	Fixed Versions
npm:bpi66 PURL: `pkg:npm/bpi66`	>= 0.0.0	No known fixed version
1 Dependent packages 1 Dependent repositories 1 Downloads last month Affected Version Ranges All affected versions 0.0.1-security

All versions of this package contained malware. The package was designed to find and exfiltrate cryptocurrency wallets.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

References:

https://www.npmjs.com/advisories/1374
https://github.com/advisories/GHSA-7xc4-793x-25jp

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd4YzQtNzkzeC0yNWpw

Malicious Package in bpi66

Affected Version Ranges

All affected versions

Recommendation

Identifiers

Risk

Severity

Classification

Source

Origin

Date and time

Published

Updated

API