Severity: Critical
CVSS Score: 9.8
All versions of `smartsearchwp` contain malicious code. The package is malware intended to steal credentials from websites it is loaded in. It traverses DOM elements looking for fields such as `username` and `password` and uploads it to a remote server. The package also port-scans the local gateway and uploads the information to the remote server. It has a feature to fetch commands from the remote server and execute them with `eval`. The npm security team analysis found several bugs in the malware that prevent it from actually performing its actions. The malicious code is also not invoked upon installation or require; it would require transpiling TypeScript code and using it in a website. ## Recommendation Remove the package from your environment. There is no indication of further compromise.