Malicious Package Affecting soket.io package, versions *
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SOKETIO-450954
- published 25 Jun 2019
- disclosed 24 Jun 2018
- credit npm security team
How to fix?
Avoid using soket.io
altogether.
Overview
soket.io is a malicious package that is typo squatting. The authentic package is Socket.io.
The package is malware designed to take advantage of users making a mistake when typing the name of a module to install. When executed, the package calls home to a Command and Control server to execute arbitrary commands.
References
CVSS Scores
version 3.1