7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16203

GHSA ID

GHSA-j49g-mp79-5vm5

EPSS Score

0.50328%

CWE

CWE-506

Published

8/6/2018

Updated

9/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16203

CVE-2017-16203: coffe-script is malware

The coffe-script package is a piece of malware that steals sensitive data such as a user's private SSH key and bash history, sending them to attacker controlled locations.

All versions have been unpublished from the npm registry.

Recommendation

If you have found coffe-script installed in your environment, you should:

Delete the package
Clear your npm cache
Ensure it is not present in any other package.json files on your system
Regenerate your SSH keys, registry credentials, tokens, and any other sensitive credentials that may have been present in your bash history.

Additionally, any service which may have been exposed via credentials in your bash history or accessible via your ssh keys, such as a database, should be reviewed for indicators of compromise as well.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16203

GHSA ID

GHSA-j49g-mp79-5vm5

EPSS Score

0.50328%

CWE

CWE-506

Published

8/6/2018

Updated

9/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
coffe-script	npm	= 1.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory describes 'coffe-script' as embedded malware that exfiltrates sensitive data, but no source code, commit diffs, or specific function names are provided in the vulnerability disclosures. While the malicious behavior (e.g., reading SSH keys and bash history, sending data to attackers) implies functions related to file I/O and network communication, the lack of concrete code examples or technical details makes it impossible to identify specific functions with high confidence. The package has been unpublished, and no patch or code analysis is available to verify implementation details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `*o***-s*ript` p**k*** is * pi*** o* m*lw*r* t**t st**ls s*nsitiv* **t* su** *s * us*r's priv*t* SS* k*y *n* **s* *istory, s*n*in* t**m to *tt**k*r *ontroll** lo**tions. *ll v*rsions **v* ***n unpu*lis*** *rom t** npm r**istry. ## R**omm*n**

Reasoning

T** **visory **s*ri**s '*o***-s*ript' *s *m****** m*lw*r* t**t *x*iltr*t*s s*nsitiv* **t*, *ut no sour** *o**, *ommit *i**s, or sp**i*i* *un*tion n*m*s *r* provi*** in t** vuln*r**ility *is*losur*s. W*il* t** m*li*ious ****vior (*.*., r***in* SS* k*y

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-16203: coffe-script is malware

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI