Skip to content

Malware in pre-build binaries of bignum

Critical severity GitHub Reviewed Published May 24, 2023 in justmoon/node-bignum

Package

npm bignum (npm)

Affected versions

>= 0.12.2, < 0.13.1

Patched versions

0.13.1

Description

Impact

bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer.

Patches

v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.

References

@justmoon justmoon published to justmoon/node-bignum May 24, 2023
Published to the GitHub Advisory Database May 24, 2023
Reviewed May 24, 2023

Severity

Critical

EPSS score

Weaknesses

Embedded Malicious Code

The product contains code that appears to be malicious in nature. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-7cgc-fjv4-52x6

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.