Prebid Universal Creative Crypto-Malware Injection Vulnerability

A vulnerability in Prebid Universal Creative (PUC) versions 1.17.3 and the latest release has been identified, involving the injection of crypto-related malware. This issue also affected users through the popular jsdelivr CDN. The malware was introduced after a developer's npm account was compromised, allowing the attacker to publish a malicious version of the PUC package. The injected malware was designed to steal cryptocurrency and potentially other sensitive information.

Impact

The vulnerability led to the injection of malware in the affected PUC version, with the malicious payload focused on stealing cryptocurrency and possibly other secrets.

Remediation

Users of PUC 1.17.3 or the latest version should transition to version 1.17.2 as soon as possible. The compromised version has been unpublished from npm. For guidance on moving away from the deprecated PUC workflow, consult the Prebid.js 9 release notes.