Nonchalantly Performs Magic
Severity: critical

Malicious Package

boogeyman

Overview

All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account.

Remediation

This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.

Advisory timeline

  1. Created

    2018-07-31T16:26:59.464Z
  2. Updated

    2018-08-17T19:35:03.130Z