from UnLocoPoco@lemmy.world to programming@programming.dev on 13 Jul 19:19
https://lemmy.world/post/49401455
cross-posted from: lemmy.world/post/49397080
The official jscrambler npm package was compromised in v8.14.0, where a malicious preinstall lifecycle hook executed a Rust-based infostealer as soon as npm install was run. Because the payload ran during installation, both developer workstations and CI/CD runners that installed the affected release should be treated as potentially compromised. The malware targeted developer secrets, including SSH keys, Git credentials, browser data, cryptocurrency wallets, and other locally stored tokens. According to the vendor, v8.22.0 is the first malware-free release. If you installed v8.14.0, it’s recommended to upgrade immediately, review affected systems, and rotate any credentials that may have been exposed
#programming
threaded - newest