GHSA-rggq-f2wf-m6cp: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-rggq-f2wf-m6cp) involves a malicious package named 'jajajejejiji' in the npm ecosystem. This package was identified as a typosquatting attack targeting a popular package with a similar name. The issue was discovered and published to the GitHub Advisory Database on September 2, 2020, with the last update on January 9, 2023. All versions of the package are affected, and it has been assigned a Critical severity rating (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, and High impact on Confidentiality, Integrity, and Availability. The weakness is categorized as CWE-506. The technical vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The malicious package collects and uploads sensitive information to a remote server, including the name of the downloaded package, the name of the intended package, the Node version, and whether the process was running with sudo privileges. While the package's primary function is information gathering, no further system compromise has been reported (GitHub Advisory).

Users are advised to immediately remove the package from their dependencies. There are no patched versions available as this is a malicious package. To prevent similar issues in the future, developers should carefully verify package names during installation to avoid typosquatting attacks (GitHub Advisory).