logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-9x64-5r7x-2q53 flatmap-stream

Package

Manager: npm
Name: flatmap-stream
Vulnerable Version: =0.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

Malicious Package in flatmap-stream Version 0.1.1 of `flatmap-stream` is considered malicious. This module runs an encrypted payload targeting a very specific application, `copay` and because they shared the same description it would have likely worked for `copay-dash`. The injected code: - Read in AES encrypted data from a file disguised as a test fixture - Grabbed the npm package description of the module that imported it, using an automatically set environment variable - Used the package description as a key to decrypt a chunk of data pulled in from the disguised file The decrypted data was part of a module, which was then compiled in memory and executed. This module performed the following actions: - Decrypted another chunk of data from the disguised file - Concatenated a small, commented prefix from the first decrypted chunk to the end of the second decrypted chunk - Performed minor decoding tasks to transform the concatenated block of code from invalid JS to valid JS (we believe this was done to evade detection by dynamic analysis tools) - Wrote this processed block of JS out to a file stored in a dependency that would be packaged by the build scripts: The chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay. This code would do the following: - Detect the current environment: Mobile/Cordova/Electron - Check the Bitcoin and Bitcoin Cash balances on the victim's copay account - If the current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash: - Harvest the victim's account data in full - Harvest the victim's copay private keys - Send the victim's account data/private keys off to a collection ## Recommendation If you find this module in your environment it's best to remove it. The malicious version of event-stream and flatmap-stream have been removed from the npm Registry.

Metadata

Created: 2020-09-01T21:21:32Z
Modified: 2021-10-01T13:30:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-9x64-5r7x-2q53/GHSA-9x64-5r7x-2q53.json
CWE IDs: ["CWE-506"]
Alternative ID: N/A
Finding: F448
Auto approve: 1