Malicious Package Affecting tsconfig-slick package, versions *
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-TSCONFIGSLICK-6044723
- published 3 Nov 2023
- disclosed 3 Nov 2023
- credit Phylum Research Team
How to fix?
Avoid using all malicious instances of the tsconfig-slick
package.
Overview
tsconfig-slick is a malicious package.
The attack chain is triggered by package installation via an install hook in the package.json
. The malicious code constructs an object o
that aggregates various pieces of system information, such as the operating system's platform, architecture, release version, CPU information, network interfaces, and user information after which it exfiltrates the data to a malicious host.
References
CVSS Scores
version 3.1