←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0.409s | source
Show context
joaomoreno ◴[08 Sep 25 16:49 UTC] No.45170585[source]
From sindresorhus:

You can run the following to check if you have the malware in your dependency tree:

`rg -u --max-columns=80 _0x112fa8`

Requires ripgrep:

`brew install rg`

https://github.com/chalk/chalk/issues/656#issuecomment-32668...

replies(8): >>45171142 #>>45171275 #>>45171304 #>>45171841 #>>45172110 #>>45172189 #>>45174730 #>>45175821 #
1. aerodynamic_ ◴[08 Sep 25 18:41 UTC] No.45172110[source]
convenience script that checks through package.json dependency tree + a couple malicious binary patterns:

https://gist.github.com/edgarpavlovsky/695b896445c19b6f66f14...

replies(1): >>45190818 #
2. NamlchakKhandro ◴[09 Sep 25 23:17 UTC] No.45190818[source]
doesn't work for monorepos