CVE-2017-16065

Name of the Vulnerable Software and Affected Versions: openssl.js (affected versions not specified)

Description: The issue concerns a malicious module named openssl.js that was published with the intent to hijack environment variables, stealing them and sending the information to attacker-controlled locations. All versions of this module have been unpublished from the npm registry.

Recommendations: Delete the openssl.js package from your environment. Clear your npm cache. Ensure openssl.js is not present in any other package.json files on your system. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been exposed via environment variables. Review services that may have been exposed via credentials in your environment variables, such as databases, for indicators of compromise.