PT-2020-21304 — Remote Code Execution in Npm Only-Test-Not-Install

PT-2020-21304 · Npm · Only-Test-Not-Install

Published

2020-09-03

Updated

2020-09-03

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions only-test-not-install versions (affected versions not specified)

Description The issue concerns malicious code within the package that deletes the folder ~/test from the system as a postinstall script. There are no further signs of compromise.

Recommendations Remove the package from your environment.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-506

Related Identifiers

GHSA-G9WF-393Q-4W38

Affected Products

Only-Test-Not-Install

PT-2020-21304 · Npm · Only-Test-Not-Install

Weakness Enumeration

Related Identifiers

Affected Products

References · 2