CWE-506
Embedded Malicious Code
ClassIncomplete
Description
The product contains code that appears to be malicious in nature.
Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-442 · CAPEC-448 · CAPEC-636
CVEs mapped to this weakness (82)
page 5 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-23812 | — | 0.00 | — | 0.04 | Mar 16, 2022 | This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code… | ||
| CVE-2019-19771 | — | 0.00 | — | 0.01 | Dec 12, 2019 | The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets. |
- CVE-2022-23812Mar 16, 2022risk 0.00cvss —epss 0.04
This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code…
- CVE-2019-19771Dec 12, 2019risk 0.00cvss —epss 0.01
The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets.