Malicious Package Affecting load-from-cwd-or-npm package, versions >=3.0.2 <3.0.4
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-LOADFROMCWDORNPM-451650
- published 18 Jul 2019
- disclosed 17 Jul 2019
- credit Harry Garood
How to fix?
Avoid using load-from-cwd-or-npm
version 3.0.2 altogether. Furthermore, upgrade load-from-cwd-or-npm
to version 3.0.4 or higher.
Overview
load-from-cwd-or-npm is a package that can be used to load a module from either CWD or npm CLI directory.
Affected versions of this package are Malicious.
Version 3.0.2 of the packge was found to contain malicous code. The malicious code when executed, breaks functionality of the purescript-installer
package by injecting targeted code.