====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN077
_____________________________________________________________________

DATE                : 05/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running jquerry versions 2.0.0,
                       http-proxy-middelware versions 2.9.0.

=====================================================================
https://www.npmjs.com/advisories/1600
https://www.npmjs.com/advisories/1600/versions
https://www.npmjs.com/advisories/1599
https://www.npmjs.com/advisories/1599/versions
_____________________________________________________________________

published
Advisory Published
Feb 3rd, 2021

reported
Reported by Uriel Chemouni
Feb 3rd, 2021


Malicious Package
jquerry


Overview

All versions of jquerry contain malicious code. The index.js file
appears to download and execute a crypto mining script. The file is not
run upon installation - the package needs to be required or the index.js
run manually.


Remediation

Any computer that has this package installed or running should be
considered fully compromised. All secrets and keys stored on that
computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may
have been given to an outside entity, there is no guarantee that
removing the package will remove all malicious software resulting from
installing it.


Versions

Affected
2.0.0                      6 days ago

Unaffected
0.0.1-security             5 days ago
_____________________________________________________________________

published
Advisory Published
Feb 3rd, 2021

reported
Reported by dabbler0
Feb 3rd, 2021


Malicious Package
http-proxy-middelware


Overview

All versions of http-proxy-middelware contain malicious code. The
index.js file attempts to download a file from a remote server and
execute it. The file is not run upon installation - the package needs to
be required or the index.js run manually.

The package contains a typo in its code which lead to it not functioning
properly. Additionally, the remote file it attempted to download is
currently not retrievable anymore but might have been in the past and
its contents are unknown.


Remediation

Any computer that has this package installed or running should be
considered fully compromised. All secrets and keys stored on that
computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may
have been given to an outside entity, there is no guarantee that
removing the package will remove all malicious software resulting from
installing it.


Versions

Affected
2.9.0                      6 days ago

Unaffected
0.0.1-security             5 days ago

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================