Malicious Package Affecting obao-digital-pnm-ui package, versions =2.0.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-OBAODIGITALPNMUI-5672118
- published 8 Jun 2023
- disclosed 8 Jun 2023
- credit Snyk Research Team
Introduced: 8 Jun 2023
Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tabHow to fix?
Avoid using all malicious instances of the obao-digital-pnm-ui
package.
Overview
obao-digital-pnm-ui is a malicious package. This package was discovered to use one or several malicious techniques such as:
Typosquatting: This technique involves registering domain names or package names that closely resemble legitimate ones, with the intention of deceiving users who make typographical errors. The aim is to redirect unsuspecting users to malicious websites or install counterfeit packages.
Dependency confusion: This type of supply chain attack involves inserting malicious software into the development process by replacing a legitimate software package with a malicious one.
Code injection: This refers to the malicious act of injecting unauthorized code into a vulnerable software system. Attackers exploit security weaknesses to insert their code, which can result in unauthorized access, data breaches, or the execution of malicious actions within the targeted application or system.
Backdoors: These are hidden entry points deliberately created by attackers within software or systems. These unauthorized access points allow threat actors to bypass security measures and gain control over compromised systems or applications, often enabling remote control, data theft, or further malicious activities.
Data exfiltration: This involves the unauthorized extraction of sensitive or confidential data from compromised systems or networks. Malicious packages might secretly collect and transmit this information to remote servers controlled by threat actors, potentially leading to privacy breaches or misuse of sensitive data.
Note: This malicious package was uncovered by one of Snyk's automated algorithms, and was confirmed to contain malicious code by our Security Research Team. For more context, please visit our blogpost.