GHSA-95cg-3r4g-7w6j: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-95cg-3r4g-7w6j) was identified in the npm package js-rha3, specifically in version 0.8.0. The issue was discovered and reviewed on August 31, 2020, and subsequently published to the GitHub Advisory Database on September 3, 2020. This malicious package specifically targeted Ethereum cryptocurrency users, with all versions (>= 0.0.0) being affected and no patched versions available (GitHub Advisory).

The vulnerability has been assigned a Critical severity rating with a CVSS score of 9.8. The CVSS base metrics indicate a Network attack vector with Low attack complexity, requiring No privileges and No user interaction. The scope is Unchanged, but the impact is High across all three categories: Confidentiality, Integrity, and Availability. The vulnerability is classified under CWE-506 (GitHub Advisory).

The malicious package was designed to perform unauthorized Ethereum cryptocurrency transactions, directing funds to wallets not controlled by the legitimate user. This poses a direct financial risk to any users who have integrated this package into their applications handling Ethereum transactions (GitHub Advisory).

The recommended mitigation strategy is to completely remove the package from any environment where it has been installed. Users are also advised to conduct a thorough review of their Ethereum wallets and transactions to ensure no funds have been compromised (GitHub Advisory).