{
  "schema_version": "1.4.0",
  "id": "GHSA-fv9m-f7w4-889c",
  "modified": "2023-09-09T00:00:04Z",
  "published": "2018-08-06T21:43:03Z",
  "aliases": [
    "CVE-2017-16207"
  ],
  "summary": "discordi.js is malware",
  "details": "The `discordi.js` package is malware that attempts to discover and exfiltrate a user's [Discord](https://discordapp.com/) credentials, sending them to pastebin.\n\nAll versions have been unpublished from the npm registry.\n\n\n## Recommendation\n\nDo not install / use this module. It has been unpublished from the npm registry but may exist in some caches. Any users that logged into Discord using this library will need to change their credentials.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "discordi.js"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.0.3"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16207"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fv9m-f7w4-889c"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/545"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:35:18Z",
    "nvd_published_at": null
  }
}