Skip to content

[BUG] Malware in the NPM package #603

@mhammerc

Description

@mhammerc

Describe the bug.

Hello,

Multiple new versions of the package have been published on NPM. These new versions adds bun_environment.js 10Mo.

List of new versions:

  • 6.8.3
  • 6.9.1
  • 6.8.2
  • 6.10.1

I find nothing on this github repository linking to these new releases.

I also find nothing in the source code that links to bun_environment.js.

I think it starts a trufflehog process which scan for secrets...

I am not sure but my search came to this package.

Is the package compromised?

Image

See the hasInstallScripts set to true? It can launch malware with that.

Expected behavior

No malware

Screenshots

Image

How to Reproduce

  1. I first did this
  2. I then did this
  3. And so on . . .

🖥️ Device Information [optional]

  • Operating System (OS):
  • Browser:
  • Browser Version:

👀 Have you checked for similar open issues?

  • I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

Are you willing to work on this issue ?

None

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions