Prebid.js Cryptocurrency Theft Vulnerability in NPM Package Version 10.9.2
Vulnerability
A vulnerability in the Prebid.js NPM package version 10.9.2 allows for the redirection of cryptocurrency transactions to an attacker's wallet. This issue was introduced when a threat actor gained control of a developer's npm account and published a malicious version of the package. The compromised code targets users' crypto transactions, diverting them to the attacker's wallet. This vulnerability was part of a broader malware campaign that affected several popular npm packages, following a similar pattern of account takeover and malicious code injection.
Impact
The vulnerability allows for the theft of cryptocurrency by redirecting transactions from the user's wallet to that of the attacker. Additionally, it could potentially be used to steal other sensitive information, such as API keys and tokens, according to Sonatype.
Remediation
Users can upgrade to Prebid.js version 10.10.0, which addresses the vulnerability. Alternatively, it is possible to downgrade to version 10.9.1.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.