Malicious Package Affecting consul-hcp package, versions *


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-CONSULHCP-3179336
  • published 21 Dec 2022
  • disclosed 15 Dec 2022
  • credit Sonatype Research Team

Introduced: 15 Dec 2022

Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab

How to fix?

Avoid using all malicious instances of the consul-hcp package.

Overview

consul-hcp is a malicious package. This package contains a malware that includes a reverse shell code and binds shell scripts.

As these packages are dependancy confusion packages, these packages are malicious if they have been downloaded and installed from the npm repository. Installation of these packages from other repositories or CDNs are likely safe to use.

These spoofed packages have no relation to the company or project they are attempting to spoof, and are not published by them or associated with them in any way.

Users should verify that the package they are using has been downloaded from the official source and not from the general package distribution repository. Snyk cannot automatically identify where a package has been downloaded from and will mark any use of the package as malicious to allow users to check whether they have been compromised.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High