Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXd4cm0tMmg4Ni12OTVm

Malicious Package in pizza-pasta

Version 1.0.3 of pizza-pasta contains malicious code as a install scripts. The package created folders in the system's Desktop and downloaded an image from imgur.com. The package also printed the users SSH keys to the console.

Recommendation

Remove the package from your environment. There are no evidences of further compromise.

Permalink: https://github.com/advisories/GHSA-wxrm-2h86-v95f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXd4cm0tMmg4Ni12OTVm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-wxrm-2h86-v95f
References:

Blast Radius: 0.0

Affected Packages

npm:pizza-pasta

Dependent packages: 1
Dependent repositories: 1
Downloads: 3 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: