GHSA-w6xj-45gv-fw35 – stream-combine

Package

Manager: npm
Name: stream-combine
Vulnerable Version: =2.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

Malicious Package in stream-combine Version 2.0.2 of `stream-combine` has malicious code design to steal credentials and credit card information. The code searches all form elements for passwords, credit card numbers and CVC codes. It then uploads the information to a remote server using HTML links embedded in the page or form actions. If your application has Content Security Policy set you are not affected by this issue. ## Recommendation This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen. Users may consider downgrading to version 2.0.1

Metadata

Created: 2020-09-02T15:57:06Z
Modified: 2023-07-27T20:12:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w6xj-45gv-fw35/GHSA-w6xj-45gv-fw35.json
CWE IDs: []
Alternative ID: N/A
Finding: F448
Auto approve: 1