HubertManne@piefed.social
on 24 Jul 2025 14:56
nextcollapse
holy crap:
On July 19, 2025, the package's primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.
So, is that just a ‘developer’ component, or have I got to analyse all my systems now for the NPM components in the article’s list?
freewheel@sh.itjust.works
on 28 Jul 16:00
collapse
Little late to the party here, and I’m not primarily a js dev, but… yes. It looks like it’s one of those syntactic sugar kind of packages that devs love to use. The bonus here is you can probably use a find-grep kind of process to check package-lock.json for references to the package. (there might be an npm command, but like I say - not a js dev.)
threaded - newest
holy crap:
On July 19, 2025, the package's primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.
So, is that just a ‘developer’ component, or have I got to analyse all my systems now for the NPM components in the article’s list?
Little late to the party here, and I’m not primarily a js dev, but… yes. It looks like it’s one of those syntactic sugar kind of packages that devs love to use. The bonus here is you can probably use a find-grep kind of process to check
package-lock.jsonfor references to the package. (there might be an npm command, but like I say - not a js dev.)For example:
$ grep \"is\"\: package-lock.json "is": "^3.3.0",