Severity: critical

Malicious Package



All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually.


Remove the package from your environment and ensure any compromised credentials are rotated.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Oct 15th, 2020
  2. reported

    Reported by Unknown
    Oct 15th, 2020