GMS-2020-735: Silently Runs Cryptocoin Miner in hooka-tools

September 1, 2020

Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background.

All affected versions have been unpublished from the npm registry.

Recommendation

While this module has been unpublished, some versions may exist in mirrors or caches. Do not install this module, and remove it if found.

References

github.com/advisories/GHSA-m36m-x4c5-rjxj
www.npmjs.com/advisories/549

Code Behaviors & Features

Detect and mitigate GMS-2020-735 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →