-
Notifications
You must be signed in to change notification settings - Fork 398
Open
Description
@consideRatio mentioned a recent supply chain attack to NPM. I'm creating this issue to have a single point of information.
What did happen?
Some authors of NPM package received a phishing email from support@npmjs.help (instead of npmjs.com) requesting the two factor authentication to be updated.
The attacker, used the phishing two factor authentication request to gain access to some user accounts and published compromised packages.
What packages were compromised?
The list circulated by Aikido Security BV is
Package | Version |
---|---|
backslash | 0.2.1 |
chalk-template | 1.1.1 |
supports-hyperlinks | 4.1.1 |
has-ansi | 6.0.1 |
simple-swizzle | 0.2.3 |
color-string | 2.1.1 |
error-ex | 1.3.3 |
color-name | 2.0.1 |
is-arrayish | 0.3.3 |
slice-ansi | 7.1.1 |
color-convert | 3.1.1 |
wrap-ansi | 9.0.1 |
ansi-regex | 6.2.1 |
supports-color | 10.2.1 |
strip-ansi | 7.1.1 |
chalk | 5.6.1 |
debug | 4.4.2 |
ansi-styles | 6.2.2 |
Is BinderHub compromised?
This requires a bit of investigation as we only store package.json
. Maybe we should also use package-lock.json
. This would require minor changes in the GitHub Actions.
@yuvipanda what is your position regarding add package-lock.json
?
Sources
consideRatio