CVE-2017-16207 — discordi.js is malware

Description

The `discordi.js` package is malware that attempts to discover and exfiltrate a user's [Discord](https://discordapp.com/) credentials, sending them to pastebin. All versions have been unpublished from the npm registry. ## Recommendation Do not install / use this module. It has been unpublished from the npm registry but may exist in some caches. Any users that logged into Discord using this library will need to change their credentials.

How to fix CVE-2017-16207

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2017-16207 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 14.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (3)

ADVISORYgithub.com/advisories/GHSA-fv9m-f7w4-889c
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16207
WEBwww.npmjs.com/advisories/545