GHSA-m36m-x4c5-rjxj: 
JavaScript vulnerability analysis and mitigation

The hooka-tools npm package was identified as compromised, with all versions (>=0.0.0) being affected by a malicious modification that introduced cryptocurrency mining functionality. The vulnerability was discovered and published to the GitHub Advisory Database on September 1, 2020, with the last update occurring on January 9, 2023. The package has been assigned the identifier GHSA-m36m-x4c5-rjxj and was rated as having low severity (GitHub Advisory).

The vulnerability involves unauthorized modifications to the hooka-tools package that implemented a cryptocurrency mining functionality that operates silently in the background. The severity of this security issue has been assessed as Low, though no specific CVSS score was assigned. No Common Weakness Enumeration (CWE) categories were associated with this vulnerability, and no CVE ID was assigned (GitHub Advisory).

When installed, the compromised versions of hooka-tools would surreptitiously execute a cryptocurrency mining operation in the background, potentially consuming system resources and increasing power usage without the user's knowledge or consent (GitHub Advisory).

As a mitigation measure, all versions of hooka-tools have been unpublished from the npm registry. Users are strongly advised not to install this module and to remove it if found in their systems, as some versions may still exist in mirrors or caches (GitHub Advisory).