CVE-2016-3956

Name of the Vulnerable Software and Affected Versions npm versions prior to 2.15.1 npm versions 3.x prior to 3.8.3 Node.js versions 0.10 prior to 0.10.44 Node.js versions 0.12 prior to 0.12.13 Node.js versions 4 prior to 4.4.2 Node.js versions 5 prior to 5.10.0

Description The issue allows remote HTTP servers to obtain sensitive information by reading Authorization headers, as the CLI in npm includes bearer tokens with arbitrary requests. An attacker could create an HTTP server to collect tokens and compromise the user's token by causing the npm CLI to make a request to that server. This compromised token could be used to perform actions that the user could do, including publishing new packages.

Recommendations Update npm with npm install npm@latest -g Revoke your Tokens Enable Two-Factor Authentication