text-qrcode is a Malicious package that generated QR Code.
It contains a malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable.
Do your applications use this vulnerable package?
- Snyk ID
- 29 Nov, 2018
- 10 Jan, 2019