CVE-2017-16088
Malicious Package vulnerability in safe-eval (npm)
What is CVE-2017-16088 About?
The ngx-bootstrap package contains malicious code, identified by a minified postinstall script, which attempts to steal various access tokens. Any system with this package installed should be considered fully compromised. Exploitation is automatic upon package installation.
Affected Software
Technical Details
This vulnerability involves a supply chain attack orchestrated through the ngx-bootstrap package. The package was intentionally compromised and includes a highly suspicious, minified postinstall script. This script is designed to execute automatically after the package installation process completes. Its primary function is to search for and exfiltrate various sensitive access tokens and credentials from the compromised system, including tokens for npm, GitHub, AWS, GCP, and potentially others. The malicious payload then attempts to publish these stolen credentials to external repositories (e.g., GitHub) and also propagates itself to other NPM packages owned by the compromised user, effectively spreading the 'Shai-Hulud NPM worm.' The attack vector is the unsuspecting installation of this compromised package, leading to immediate system infection and credential theft.
What is the Impact of CVE-2017-16088?
Successful exploitation leads to full system compromise, theft of all secrets and credentials, and potential further propagation of malicious software, resulting in severe data breach and loss of control.
What is the Exploitability of CVE-2017-16088?
Exploitation of this vulnerability is extremely simple and occurs automatically upon installation of the malicious package. The complexity level is minimal, as merely running npm install or equivalent for the compromised package initiates the attack. There are no authentication prerequisites; the act of installing the package is the trigger. Privilege requirements are those of the user running the installation command, which often includes write access to various system locations and network connectivity. This is inherently a local vulnerability from the perspective of installation, but its payload performs remote exfiltration and propagation. There are no special conditions other than installing the compromised version of the package. The risk factors for exploitation are very high, as developers or automated CI/CD systems unknowingly installing this package will be immediately compromised.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Flyy-yu | Link | Exploit CVE-2017-16088 |
What are the Available Fixes for CVE-2017-16088?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/patriksimek/vm2/issues/59
- https://nodesecurity.io/advisories/337
- https://nvd.nist.gov/vuln/detail/CVE-2017-16088
- https://github.com/hacksparrow/safe-eval/pull/13
- https://www.npmjs.com/advisories/337
- https://github.com/advisories/GHSA-ww6v-677g-p656
- https://github.com/hacksparrow/safe-eval/issues/5
- https://github.com/patriksimek/vm2/issues/59
- https://github.com/hacksparrow/safe-eval/issues/5
- https://osv.dev/vulnerability/GHSA-ww6v-677g-p656
What are Similar Vulnerabilities to CVE-2017-16088?
Similar Vulnerabilities: CVE-2023-38408 , CVE-2022-36056 , CVE-2021-23368 , CVE-2020-15160 , CVE-2019-12378
