Information disclosure of authentication credentials via malicious.npmrc file
Summary
Information disclosure of authentication credentials via malicious .npmrc file. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-201.
- < 10.34.0
- < 11.4.0
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
- 10.34.0
- 11.4.0
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Mitigation checklist
- To mitigate this issue, ensure that all npm authentication tokens are explicitly URL-scoped rather than relying on unscoped, user-level configurations. Additionally, avoid executing pnpm commands in untrusted repositories, as a malicious `.npmrc` file can redirect authentication credentials to an attacker.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.