←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.238s | source
Show context
bstsb ◴[08 Sep 25 16:10 UTC] No.45170046[source]
looks like it won't affect you if you just downloaded the packages locally.

the actual code only runs in a browser context - it replaces all crypto addresses in many places with the attacker's.

a list of the attacker's wallet addresses: https://gist.github.com/sindresorhus/2b7466b1ec36376b8742dc7...

replies(3): >>45170503 #>>45170581 #>>45182734 #
1. pingou ◴[08 Sep 25 16:42 UTC] No.45170503[source]
I wonder why they didn't add something more nefarious that can run on developers machines while they were at it, would it have been too easy to see? It was caught very quickly anyway.