Miggo Logo
Miggo Vulnerability Database
GHSA-4hjg-w3ww-38c6

GHSA-4hjg-w3ww-38c6: Malicious Package in tiar

9.8

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-4hjg-w3ww-38c6
EPSS Score
-
CWE
CWE-506
Published
9/3/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tiarnpm>= 0.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory describes malicious behavior (data exfiltration, file download, and execution) but provides no specific code examples, file paths, or function names. Without access to the actual package code or detailed technical analysis from the report, we cannot confidently identify specific vulnerable functions. The CWE-506 classification confirms embedded malicious code exists, but the lack of implementation details in available sources prevents function-level identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `ti*r` *ont*in m*li*ious *o**. T** p**k*** uplo**s syst*m in*orm*tion to * r*mot* s*rv*r, *ownlo**s * *il* *n* *x**ut*s it. ## R**omm*n**tion *ny *omput*r t**t **s t*is p**k*** inst*ll** or runnin* s*oul* ** *onsi**r** *ully *ompro

Reasoning

T** **visory **s*ri**s m*li*ious ****vior (**t* *x*iltr*tion, *il* *ownlo**, *n* *x**ution) *ut provi**s no sp**i*i* *o** *x*mpl*s, *il* p*t*s, or *un*tion n*m*s. Wit*out ****ss to t** **tu*l p**k*** *o** or **t*il** t***ni**l *n*lysis *rom t** r*por