7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-16062

GHSA ID

GHSA-mwcv-m549-5cm8

EPSS Score

0.50324%

CWE

CWE-506

Published

11/1/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16062

CVE-2017-16062: node-tkinter is malware

The node-tkinter package is a piece of malware that steals environment variables and sends them to attacker controlled locations.

All versions have been unpublished from the npm registry.

Recommendation

As this package is malware, if you find it installed in your environment, the real security concern is determining how it got there.

If you have found this installed in your environment, you should:

Delete the package
Clear your npm cache
Ensure it is not present in any other package.json files on your system
Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.

Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-16062

GHSA ID

GHSA-mwcv-m549-5cm8

EPSS Score

0.50324%

CWE

CWE-506

Published

11/1/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
node-tkinter	npm	<= 1.0.2	1.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability description confirms node-tkinter is malware that exfiltrates environment variables, but no actual code/patch diffs are available for analysis. Without access to the package's source code or specific patch changes, we cannot definitively identify exact function names, call patterns, or execution paths that would appear in a runtime profiler. The malicious behavior would likely involve environment variable access (process.env) and network exfiltration (HTTP requests), but these would manifest as Node.js core API calls rather than application-layer functions from the malware itself. Since there is no concrete evidence of specific vulnerable functions in the provided materials, we cannot confidently list them.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `no**-tkint*r` p**k*** is * pi*** o* m*lw*r* t**t st**ls *nvironm*nt v*ri**l*s *n* s*n*s t**m to *tt**k*r *ontroll** lo**tions. *ll v*rsions **v* ***n unpu*lis*** *rom t** npm r**istry. ## R**omm*n**tion *s t*is p**k*** is m*lw*r*, i* you

Reasoning

T** provi*** vuln*r**ility **s*ription *on*irms no**-tkint*r is m*lw*r* t**t *x*iltr*t*s *nvironm*nt v*ri**l*s, *ut no **tu*l *o**/p*t** *i**s *r* *v*il**l* *or *n*lysis. Wit*out ****ss to t** p**k***'s sour** *o** or sp**i*i* p*t** ***n**s, w* **nno

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-16062: node-tkinter is malware

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI