Malicious Package Affecting font-scrubber package, versions =1.0.0 =1.1.0 =1.1.1 =1.1.2 =1.1.3 =1.1.4 =1.2.0 =1.2.1 =1.2.2
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-FONTSCRUBBER-174909
- published 5 Jun 2019
- disclosed 4 Jun 2019
- credit npm security
How to fix?
Avoid using font-scrubber
altogether.
Overview
font-scrubber is a malicious package.
font-scrubber
contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd.
References
CVSS Scores
version 3.1