Malicious Package Affecting yandex-cssformat package, versions *
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-YANDEXCSSFORMAT-3253392
- published 30 Jan 2023
- disclosed 30 Jan 2023
- credit unknown
How to fix?
Avoid using all malicious instances of the yandex-cssformat
package.
Overview
yandex-cssformat is a malicious package. This is a typo-squatting attack, which means the package name is based on the existing repositories, namespaces, or components. It aims to trick users into downloading a package that contains malicious code.
This targets popular Yandex packages and contains malicious code in the preinstall command which allows sending sensitive information about the system and user to a remote server.
References
CVSS Scores
version 3.1