Headline
GHSA-7cgc-fjv4-52x6: Malware in pre-build binaries of bignum
Impact
bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user’s computer.
Patches
v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.
Affected versions
>= 0.12.2, < 0.13.1
Description
Impact
bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user’s computer.
Patches
v0.13.1 does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads.
References
- GHSA-7cgc-fjv4-52x6
- justmoon/node-bignum@57e48c3
- justmoon/node-bignum@72951c5
Published to the GitHub Advisory Database
May 24, 2023