Homepage
About Snyk

Malicious Package Affecting fc-gotcha package, versions =3.0.0 =4.0.0 =5.0.0 =6.0.0 =6.1.0 =6.2.0 =6.3.0 =6.4.0 =8.0.0 =9.0.0

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-FCGOTCHA-2962985
  • published 29 Jul 2022
  • disclosed 5 Sep 2023
  • credit Snyk Research Team
Report a new vulnerability Found a mistake?

Introduced: 29 Jul 2022

Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab
First added by Snyk

How to fix?

Avoid using all malicious instances of the fc-gotcha package.

Overview

fc-gotcha is a malicious package. This package was discovered to use one or several malicious techniques such as:

  1. Typosquatting: This technique involves registering domain names or package names that closely resemble legitimate ones, with the intention of deceiving users who make typographical errors. The aim is to redirect unsuspecting users to malicious websites or install counterfeit packages.

  2. Dependency confusion: This type of supply chain attack involves inserting malicious software into the development process by replacing a legitimate software package with a malicious one.

  3. Code injection: This refers to the malicious act of injecting unauthorized code into a vulnerable software system. Attackers exploit security weaknesses to insert their code, which can result in unauthorized access, data breaches, or the execution of malicious actions within the targeted application or system.

  4. Backdoors: These are hidden entry points deliberately created by attackers within software or systems. These unauthorized access points allow threat actors to bypass security measures and gain control over compromised systems or applications, often enabling remote control, data theft, or further malicious activities.

  5. Data exfiltration: This involves the unauthorized extraction of sensitive or confidential data from compromised systems or networks. Malicious packages might secretly collect and transmit this information to remote servers controlled by threat actors, potentially leading to privacy breaches or misuse of sensitive data.

Note: This malicious package was uncovered by one of Snyk's automated algorithms, and was confirmed to contain malicious code by our Security Research Team. For more context, please visit our blogpost.

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High