GHSA-9mjp-gv34-3jcf

Source

https://github.com/advisories/GHSA-9mjp-gv34-3jcf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-9mjp-gv34-3jcf/GHSA-9mjp-gv34-3jcf.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9mjp-gv34-3jcf

Published

2020-09-02T18:37:35Z

Modified

2021-10-01T13:55:21Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Malicious Package in aasync

Details

All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise.

Recommendation

Remove the package from your dependencies and always ensure package names are typed correctly upon installation.

Database specific

{
    "github_reviewed_at": "2020-08-31T18:37:53Z",
    "cwe_ids": [
        "CWE-506"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "nvd_published_at": null
}

References

https://www.npmjs.com/advisories/844

Affected packages

npm / aasync

Package

Name: aasync; View open source insights on deps.dev
Purl: pkg:npm/aasync

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected