Miggo Logo
Miggo Vulnerability Database
GHSA-pmgv-94f5-6w7w

GHSA-pmgv-94f5-6w7w: Malicious Package in eact

9.8

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-pmgv-94f5-6w7w
EPSS Score
-
CWE
CWE-506
Published
9/2/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
eactnpm>= 0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory describes malicious behavior (data exfiltration) but provides no source code, commit diffs, or implementation details. While we can infer that functions related to telemetry collection (e.g., gathering system info) and network communication (e.g., sending data to a remote server) must exist, the lack of concrete code evidence prevents specific function identification with high confidence. Typosquatting attacks rely on package name confusion rather than specific function vulnerabilities, making this a supply-chain issue rather than a code-level vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `***t` typosqu*tt** * popul*r p**k*** o* simil*r n*m* *n* tr**k** us*rs w*o *** inst*ll** t** in*orr**t p**k***. T** p**k*** uplo**** in*orm*tion to * r*mot* s*rv*r in*lu*in*: n*m* o* t** *ownlo**** p**k***, n*m* o* t** int*n*** p**k*

Reasoning

T** **visory **s*ri**s m*li*ious ****vior (**t* *x*iltr*tion) *ut provi**s no sour** *o**, *ommit *i**s, or impl*m*nt*tion **t*ils. W*il* w* **n in**r t**t `*un*tions` r*l*t** to t*l*m*try *oll**tion (*.*., **t**rin* syst*m in*o) *n* n*twork *ommuni*