Severity: critical

Malicious Package

npmpubman

Overview

All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually.

Remediation

Remove the package from your environment and ensure any compromised credentials are rotated.

Have content suggestions? Visit npmjs.com/support.

Advisory timeline

  1. published

    Advisory Published
    Oct 15th, 2020
  2. reported

    Reported by Unknown
    Oct 15th, 2020