CVE-2017-16128
npm-script-demo is malware
9.8
CRITICAL
CVSS 3.1
EPSS 0.32%
描述
The `npm-script-demo` package is a piece of malware that opens a connection to a command and control server and executed the instructions it is given. It has been removed from the npm registry. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer has been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
如何修補 CVE-2017-16128
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2017-16128 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |