CVE-2017-16205

Vulnerability

The coffescript package, a piece of malware published on the npm registry, exfiltrates sensitive data during installation. Specifically, it steals a user's private SSH key and bash history and sends them to attacker-controlled locations. All versions of this package have been unpublished from the npm registry [1][2].

Exploitation

An attacker does not need to exploit the package actively; simply installing the coffescript package (or having it as a dependency) triggers the malicious behavior during the installation process [2]. No authentication or special privileges are required beyond the ability to install an npm package.

Impact

On successful installation, the attacker gains the user's private SSH key and bash history. This can lead to full compromise of systems accessible via those SSH keys and disclosure of any sensitive credentials or tokens present in the bash history. The attacker can use the exfiltrated data to access databases, servers, or other services [2].

Mitigation

All versions of coffescript have been unpublished from the npm registry. Users who find coffescript installed should delete the package, clear their npm cache, verify it is not in any package.json files, and regenerate SSH keys, registry credentials, tokens, and any other sensitive credentials that may have been in the bash history. Services exposed via those credentials should be reviewed for indicators of compromise [2].