GHSA-8qx4-r7fx-xc4v: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-8qx4-r7fx-xc4v) involves a malicious package named 'requst' that was identified as a typosquatting attack targeting a similarly named popular package. This critical severity issue was discovered and reviewed on August 31, 2020, published to the GitHub Advisory Database on September 11, 2020, and last updated on January 9, 2023. The vulnerability affects all versions of the requst package (GitHub Advisory).

The vulnerability has been assigned a Critical severity rating with a CVSS score of 9.8. The CVSS base metrics indicate Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, and High impact on Confidentiality, Integrity, and Availability. The vulnerability is categorized under CWE-506 (GitHub Advisory).

When installed, the malicious package collects and transmits sensitive information to a remote server, including the name of the downloaded package, the intended package name, Node version information, and sudo execution status. While no further compromise has been reported, the unauthorized data collection poses significant privacy and security risks (GitHub Advisory).

Users are advised to immediately remove the package from their dependencies. The primary mitigation strategy is to carefully verify package names during installation to avoid typosquatting attacks. No patches are available as this is a malicious package, and the solution is complete removal (GitHub Advisory).