Severity: critical

Malicious Package



All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually.


Remove the package from your environment and ensure any compromised credentials are rotated.

Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    Oct 15th, 2020
  2. reported

    Reported by Unknown
    Oct 15th, 2020