←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.239s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

wch ◴[08 Sep 25 16:35 UTC] No.45170400[source]▶

>>45169657 (OP) #

When I run `npm audit`, it points me to a security advisory at GitHub. For example, for debug, it is https://github.com/advisories/GHSA-8mgj-vmr8-frr6 .

That page says that the affected versions are ">=0". Does that seem right? That page also says:

> Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Is this information accurate?

replies(2): >>45170486 #>>45171226 #

herpdyderp ◴[08 Sep 25 17:35 UTC] No.45171226[source]▶

I also see:

- https://github.com/advisories/GHSA-hfm8-9jrf-7g9w

- https://github.com/advisories/GHSA-5g7q-qh7p-jjvm

- https://github.com/advisories/GHSA-8mgj-vmr8-frr6

- https://github.com/advisories/GHSA-m99c-cfww-cxqx

I wonder if they're all from the same thing, they all popped up at the same time.

edit: they do appear to all be the same thing, and the advisory version wildcard is wrong: https://github.com/github/advisory-database/issues/6099

replies(1): >>45171356 #

1. ◴[08 Sep 25 17:44 UTC] No.45171356[source]▶