Malicious Package in cafe_buy_duo

Q: How to fix?

Avoid using all malicious instances of the cafe_buy_duo package.

Threat Intelligence

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUBY-CAFEBUYDUO-11951381
published17 Aug 2025
disclosed14 Aug 2025
creditKirill Boychenko

Report a new vulnerability Found a mistake?

Introduced: 14 Aug 2025

New Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the cafe_buy_duo package.

Overview

cafe_buy_duo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package appears to be part of a larger campaign targeting user credentials. It, and several other variations, masquerade as automation tools for social media and marketing platforms. When used, a graphical user interface, written in Korean, prompts the user for their credentials. Instead of using these for any legitimate purpose, the package collects the user's MAC address to track infections and sends the credentials to an attacker-controlled server.

References

The Hacker News Article

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Malicious Package Affecting cafe_buy_duo package, versions >=0.0.0

Severity