Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc2eGotNDVndi1mdzM1

Malicious Package in stream-combine

Version 2.0.2 of stream-combine has malicious code design to steal credentials and credit card information. The code searches all form elements for passwords, credit card numbers and CVC codes. It then uploads the information to a remote server using HTML links embedded in the page or form actions. If your application has Content Security Policy set you are not affected by this issue.

Recommendation

This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen.

Users may consider downgrading to version 2.0.1

Permalink: https://github.com/advisories/GHSA-w6xj-45gv-fw35
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc2eGotNDVndi1mdzM1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: 10 months ago

Identifiers: GHSA-w6xj-45gv-fw35
References:

Blast Radius: 0.0

Affected Packages

npm:stream-combine

Dependent packages: 0
Dependent repositories: 2
Downloads: 134 last month
Affected Version Ranges: = 2.0.2
No known fixed version
All affected versions: