GMS-2020-124: Malicious Package

September 1, 2020 (updated October 1, 2021)

All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account. This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.

References

github.com/advisories/GHSA-9hc2-w9gg-q6jw
www.npmjs.com/advisories/677

Code Behaviors & Features

Detect and mitigate GMS-2020-124 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →