(www.aikido.dev)

1369 points universesquid | 4 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

1. paulddraper ◴[08 Sep 25 16:04 UTC] No.45169982[source]▶

>>45169657 (OP) #

Maintainer phished.

Was caught quickly (hours? hard to be sure, the versions have been removed/overwritten).

Attacker owns npmjs.help domain.

replies(1): >>45170159 #

2. DDerTyp ◴[08 Sep 25 16:18 UTC] No.45170159[source]▶

>>45169982 (TP) #

Noticed that after ten mins, contacted author immediatly and he seems to be working on it / restoring his account / removing malware on published packages.

Kinda "proud" on it haha :D

replies(1): >>45170407 #

3. jbverschoor ◴[08 Sep 25 16:36 UTC] No.45170407[source]▶

>>45170159 #

Doesn’t npmjs do things like signing, pinning, and yanking packages, like rubygems?

replies(1): >>45172206 #

4. paulddraper ◴[08 Sep 25 18:48 UTC] No.45172206{3}[source]▶

>>45170407 #

Yes

↑

NPM debug and chalk packages compromised