Home > Vulnerability Database > WS-2022-0114

Mend.io Vulnerability Database

WS-2022-0114

Date: April 18, 2022

The package 'epic-ue-loading' in NPM is malicious. The package was uploaded first time in April 18th 2022. All versions are malicious. The malicious package is exfiltrating user information like env variables and sends it out via a pipe-dream webhook. The package seems to target consumers of packages by the user 'spicywombat': https://www.npmjs.com/~spicywombat

Language: JS

Severity Score

10.0

Related Resources (2)

Url: https://my.diffend.io/npm/epic-ue-loading/0.1.0/1.803.0#d2h-681230-452

Url: https://www.mend.io/vulnerability-database/WS-2022-0114

Severity Score

10.0

Weakness Type (CWE)

Embedded Malicious Code

CWE-506

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0114

Date: April 18, 2022

Language: JS

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?