GMS-2020-536: Entropy Backdoor in text-qrcode

September 1, 2020 (updated October 1, 2021)

All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a byte value being returned, but one that is easily guessable. Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances of generated entropy must be replaced. This includes things like bitcoin wallets, private keys, encrypted messages, etc.

References

github.com/advisories/GHSA-h5vj-f7r9-w564
www.npmjs.com/advisories/738

Code Behaviors & Features

Detect and mitigate GMS-2020-536 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →