Skip to content

Malware in pre-build binaries of bignum

Critical severity GitHub Reviewed Published May 24, 2023 in justmoon/node-bignum

Package

npm bignum (npm)

Affected versions

>= 0.12.2, < 0.13.1

Patched versions

0.13.1

Description

Impact

bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer.

Patches

v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.

References

@justmoon justmoon published to justmoon/node-bignum May 24, 2023
Published to the GitHub Advisory Database May 24, 2023
Reviewed May 24, 2023

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-7cgc-fjv4-52x6

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.