←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
bstsb ◴[08 Sep 25 16:10 UTC] No.45170046[source]
looks like it won't affect you if you just downloaded the packages locally.

the actual code only runs in a browser context - it replaces all crypto addresses in many places with the attacker's.

a list of the attacker's wallet addresses: https://gist.github.com/sindresorhus/2b7466b1ec36376b8742dc7...

replies(3): >>45170503 #>>45170581 #>>45182734 #
1. keepamovin ◴[08 Sep 25 16:49 UTC] No.45170581[source]
that will still affect users of your website that uses these packages, tho.