←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0.461s | source
Show context
martypitt ◴[08 Sep 25 16:15 UTC] No.45170121[source]
A super quick script to check the deps in your package-lock.json file is here[0].

[0]: https://gist.github.com/martypitt/0d50c350aa7f0fc73354754343...

replies(2): >>45170178 #>>45170233 #
krona ◴[08 Sep 25 16:19 UTC] No.45170178[source]
how about:

grep -r "_0x112fa8"

replies(1): >>45170506 #
9dev ◴[08 Sep 25 16:42 UTC] No.45170506[source]
Irritatingly, this doesn't turn up anything, despite having a theoretically-compromised project as per the package-lock.json… At least on my end
replies(2): >>45170718 #>>45172597 #
1. mewpmewp2 ◴[08 Sep 25 16:58 UTC] No.45170718[source]
What do you mean irritatingly? Do you mean that you think 'grep -r "_0x112fa8"' is not enough or are you irritated that npm audit is flagging as if it was compromised?
replies(1): >>45171802 #
2. 9dev ◴[08 Sep 25 18:15 UTC] No.45171802[source]
I'm irritated because I expected to find at least one compromised file, but there were none. It may be, though, that we only use the affected packages as transitive development dependencies, in which case they are not installed locally. But a sliver of doubt remains that I missed something.