CVE-2016-10620
Description
atom-node-module-installer installs node modules for atom-shell applications. atom-node-module-installer binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
atom-node-module-installer downloads binary resources over unencrypted HTTP, enabling MITM attackers to replace them and achieve remote code execution.
Vulnerability
atom-node-module-installer is an npm package that installs Node.js modules for Atom-shell applications. The package downloads binary resources over plain HTTP [1], making the entire download process vulnerable to man-in-the-middle (MITM) attacks. No specific version range is provided; the package has not been updated since 2014 [2].
Exploitation
An attacker with a privileged network position (e.g., on the same local network, at a compromised ISP, or between the user and the remote server) can intercept the HTTP response during a download [1]. By replacing the legitimate binary with an attacker-controlled one, the attacker can inject arbitrary code [2]. No authentication or user interaction beyond triggering a normal module installation is required.
Impact
Successful exploitation yields remote code execution (RCE) on the system running atom-node-module-installer [1]. The attacker's payload runs with the privileges of the user or process that initiated the module installation, leading to full compromise of the application and potentially the underlying host.
Mitigation
No patch is currently available, and the package has not been updated since 2014 [2]. The strongest mitigation is to avoid using this package entirely and switch to an alternative that fetches binaries over HTTPS [2]. If the package must be used, restrict installations to private, trusted networks where MITM risk is minimized [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
atom-node-module-installernpm | <= 0.9.0 | — |
Affected products
3- HackerOne/atom-node-module-installer node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-87g3-x896-w798ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10620ghsaADVISORY
- nodesecurity.io/advisories/216mitrex_refsource_MISC
- www.npmjs.com/advisories/216ghsaWEB
News mentions
0No linked articles in our index yet.