Malicious Package Affecting @yandex-travel/ui package, versions *


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-YANDEXTRAVELUI-3253418
  • published30 Jan 2023
  • disclosed30 Jan 2023
  • creditunknown

Introduced: 30 Jan 2023

Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)

How to fix?

Avoid using all malicious instances of the @yandex-travel/ui package.

Overview

@yandex-travel/ui is a malicious package. This is a typo-squatting attack, which means the package name is based on the existing repositories, namespaces, or components. It aims to trick users into downloading a package that contains malicious code.

This targets popular Yandex packages and contains malicious code in the preinstall command which allows sending sensitive information about the system and user to a remote server.

CVSS Scores

version 3.1