9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16127

GHSA ID

GHSA-428f-mh7w-6w2x

EPSS Score

0.55893%

CWE

CWE-509

Published

9/1/2020

Updated

9/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16127

CVE-2017-16127: pandora-doomsday is malware

The pandora-doomsday package is a malicious package that adds itself to the package.json of other packages discovered on the victim host and attempts to publish the package.

It has been removed from the npm registry.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16127

GHSA ID

GHSA-428f-mh7w-6w2x

EPSS Score

0.55893%

CWE

CWE-509

Published

9/1/2020

Updated

9/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pandora-doomsday	npm	>= 0.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory describes malicious behavior (self-replication via package.json modification and unauthorized publishing) but provides no actual code samples, commit diffs, or implementation details. Without access to the package's source code or specific behavioral analysis showing function-level activity, we cannot confidently identify specific vulnerable functions. The CWE-509 classification indicates worm-like behavior, but this describes the package's overall functionality rather than specific function implementations. The absence of patching information and GitHub's 'No known source code' status further prevents technical analysis of vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `p*n*or*-*ooms**y` p**k*** is * m*li*ious p**k*** t**t ***s its*l* to t** p**k***.json o* ot**r p**k***s *is*ov*r** on t** vi*tim *ost *n* *tt*mpts to pu*lis* t** p**k***. It **s ***n r*mov** *rom t** npm r**istry. ## R**omm*n**tion *ny *omp

Reasoning

T** **visory **s*ri**s m*li*ious ****vior (s*l*-r*pli**tion vi* p**k***.json mo*i*i**tion *n* un*ut*oriz** pu*lis*in*) *ut provi**s no **tu*l *o** s*mpl*s, *ommit *i**s, or impl*m*nt*tion **t*ils. Wit*out ****ss to t** p**k***'s sour** *o** or sp**i*

9.8

Basic Information

Concerned about an active attack path?

CVE-2017-16127: pandora-doomsday is malware

Recommendation

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI