npm

Severity: high

Entropy Backdoor

text-qrcode

Overview

All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable.

Remediation

Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances of generated entropy must be replaced. This includes things like bitcoin wallets, private keys, encrypted messages, etc.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. Created

    2018-11-29T00:41:55.086Z
  2. Updated

    2018-11-29T16:42:01.919Z