N/A

CVSS Score

Basic Information

CVE ID

CVE-2017-16202

GHSA ID

GHSA-m6wh-m8m8-6xx5

EPSS Score

0.50328%

CWE

CWE-506

Published

8/6/2018

Updated

9/6/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16202

CVE-2017-16202: cofeescript is malware

The cofeescript package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations.

All versions have been unpublished from the npm registry.

Recommendation

If you have found cofeescript installed in your environment, you should:

Delete the package
Clear your npm cache
Ensure it is not present in any other package.json files on your system
Regenerate your SSH keys, registry credentials, tokens, and any other sensitive credentials that may have been present in your bash history.

Additionally, any service which may have been exposed via credentials in your bash history or accessible via your ssh keys, such as a database, should be reviewed for indicators of compromise as well.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2017-16202

GHSA ID

GHSA-m6wh-m8m8-6xx5

EPSS Score

0.50328%

CWE

CWE-506

Published

8/6/2018

Updated

9/6/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cofeescript	npm	= 1.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory describes 'cofeescript' as embedded malware but provides no source code or specific function-level details. Malicious behavior (data exfiltration of SSH keys/bash history) likely occurs through package installation hooks (e.g., postinstall scripts) or hidden runtime components, but without access to the actual package code or commit diffs, we cannot identify specific functions with high confidence. The package has been unpublished, further limiting analysis. Standard npm malware patterns suggest potential exploitation via lifecycle scripts, but this remains speculative without concrete code evidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `*o***s*ript` p**k*** is * pi*** o* m*lw*r* t**t st**ls s*nsitiv* **t* su** *s * us*r's priv*t* SS* k*y *n* **s* *istory, s*n*in* t**m to *tt**k*r *ontroll** lo**tions. *ll v*rsions **v* ***n unpu*lis*** *rom t** npm r**istry. ## R**omm*n**ti

Reasoning

T** **visory **s*ri**s '*o***s*ript' *s *m****** m*lw*r* *ut provi**s no sour** *o** or sp**i*i* *un*tion-l*v*l **t*ils. M*li*ious ****vior (**t* *x*iltr*tion o* SS* k*ys/**s* *istory) lik*ly o**urs t*rou** p**k*** inst*ll*tion *ooks (*.*., postinst*

N/A

Basic Information

Concerned about an active attack path?

CVE-2017-16202: cofeescript is malware

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI