Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-3p8f-j2vw-7hw9

GitHub Security Advisory

mssql-node is malware

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

The `mssql-node` package is a piece of malware that steals environment variables and sends them to attacker controlled locations.

All versions have been unpublished from the npm registry.

## Recommendation

As this module is malware, if you find it installed in your environment, the real security concern is determining how it got there.

If you have found this installed in your environment, you should:
1. Delete the package
2. Clear your npm cache
3. Ensure it is not present in any other package.json files on your system
4. Regenerate your registry credentials, tokens, and any other sensitive credentials that may have been present in your environment variables.

Additionally, any service which may have been exposed via credentials in your environment variables, such as a database, should be reviewed for indicators of compromise as well.

Affected Packages

npm mssql-node
Affected versions: 0 (last affected: 1.0.2)

Related CVEs

CVE-2017-16059

Key Information

GHSA ID
GHSA-3p8f-j2vw-7hw9
Published
November 9, 2018 5:43 PM
Last Modified
September 7, 2023 10:49 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
mssql-node
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.