Severity: critical

Malicious Package

npmpubman

Overview

All versions of npmpubman contain malicious code. The index.js file sends local environment variables to a remote server. The file is not run upon installation - the package needs to be required or the index.js run manually.

Remediation

Remove the package from your environment and ensure any compromised credentials are rotated.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Oct 15th, 2020
  2. reported

    Reported by Unknown
    Oct 15th, 2020