Malept

**Name of the Vulnerable Software and Affected Versions** electron-packager versions 5.2.1 through 6.0.2 **Description** The issue allows an attacker to perform a man-in-the-middle attack due to the `--strict-ssl` command line option defaulting to false if not explicitly set to true. This could enable an attacker with a privileged network position to launch a Man In The Middle (MITM) attack on the install process, intercepting the step where electron-packager downloads Electron for supported target platforms and architectures, and replacing the valid download with a tampered malicious one. The issue only affects users using the electron-packager CLI, as the `strict-ssl` option defaults to true for the node.js API. **Recommendations** Update to version 7.0.0 or later. Delete the `electron-download` cache folder, which is by default located at `~/.electron`.