🚨🗞️ BREAKING NEWS
The maintainer of 18 widely used npm packages (over 2 BILLION downloads per week in total) including debug, chalk and color - got hacked and his credentials were used to publish malicious versions of these packages.
You might not use these dependencies directly BUT your dependencies might use these, so you should check if you have any of the listed versions installed (see below for scripts).
For a detailed timeline of what happened and an analysis of the malware see this post by Aikido.
TLDR: maintainer got phished, attackers published crypto stealing malware with his credentials, npm removed the packages after 1 hour, compromised packages still got downloaded millions of times within that hour, the included malware was just crypto stealing that only worked in the browser 🤦♂️ (no machine persistence, RCE or other credentials stolen).
To check if you've been impacted:
- Check your local node_modules to see if it contains the malware:
grep -R 'checkethereumw'
- Check your npm cache with this script by phxgg
- Check your project with this script by AndrewMohawk
Thanks to this post by Security Alliance for the remediation links.
Stay safe out there - don't click links in emails, pin your package versions, eat your veggies.
- CJ
