Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cdt-cloud-dev] compromised popular npm packages
  • From: Bernd Hufmann <bernd.hufmann@xxxxxxxxxxxx>
  • Date: Thu, 24 Jul 2025 18:08:52 +0000
  • Accept-language: en-CA, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QkQ3RbpVKw0TTb3rTByKaJw4OCPDXBj6RNhzVVeQZjs=; b=clICL2irEL4dfHF1Xj2NS7nfX4gBaU+xwyNmdZdogAvA+Kqq69jeGAcwzhQCaIFWYuQkTFvbKq4rnmOB5iDD5LT2qzqxp36YPaRgnf7HFejwYWNTZeelPBnqWH9GA6GSQMUVNi5Hb22vE0zZ9Z+obKhcF8p7u/Qx/V8MPUGFpCDe7Qgiey/NdXeDMEGi++DOOK96zUQfKZ9loBHwqGnXBgT5VGGawpYywuNk5hbJIz8v4jC0afoZ0SLuVNteT3AE9R9bnXEuRDIQ2wd+qFUhcB6FJNAFCnM54kr7nHWFQVem2V1lY1I6HG6RzR9bzPk+ZNChmTyBuj9FrQKR0u9RCQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SxK4lThv5RWdb6MNxQGsK6wRUz0C3MhdzC56gmt10z2B5s/7UjCJc+TTPIuu0sU6PMCM6bntcMw31gr76++/p30Lr1Rdq4NVbMKzLG3Y7Zjky2F6hqGtv0wElIueMrSLSWqfBkqSvmbZCG0q7y2ql6CRd3JxwwXH5PW98NOcTRO9Rrf9z0ALfgdNOGbg9VyItwCyJsOFDiSIMm5OjHrC/oR/pQ/E3oLiVqx0IbXZ3lIkAXeNBPz0PANMgYXTaHf6Cda87ik4LvDli/o8DQYwy+yrSWZFpbilpUp4OUvpcB2+ea5sb2J6n0665gIyPZAjABGHwo0W47mHFmanvhxkEw==
  • Delivered-to: cdt-cloud-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/cdt-cloud-dev/>
  • List-help: <mailto:cdt-cloud-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/cdt-cloud-dev>, <mailto:cdt-cloud-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/cdt-cloud-dev>, <mailto:cdt-cloud-dev-request@eclipse.org?subject=unsubscribe>
  • Msip_labels:
  • Thread-index: AQHb/L6QJIVW8shSZ0qQn+0+dDGT1bRBka3Q
  • Thread-topic: [cdt-cloud-dev] compromised popular npm packages
Hi Jonah,

Thanks for the information. What also worries me is that dependabot created a PR to upgrade. Usually, dependapot does that based on some reported security alert. Do you have any idea how dependabot was triggered  and for what alert?

BR
Bernd
From: cdt-cloud-dev <cdt-cloud-dev-bounces@xxxxxxxxxxx> on behalf of Jonah Graham via cdt-cloud-dev <cdt-cloud-dev@xxxxxxxxxxx>
Sent: July 24, 2025 1:14 PM
To: CDT Cloud development <cdt-cloud-dev@xxxxxxxxxxx>
Cc: Jonah Graham <jonah@xxxxxxxxxxxxxxxx>
Subject: [cdt-cloud-dev] compromised popular npm packages
 
Hi folks,

Have a look at https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack - a bunch of very common packages in npm have been compromised.

The cdt-gdb-adapter's yarn.lock refers to one of them, but fortunately was never updated to a version that was compromised. However, if you did a local yarn upgrade you may have picked up a compromised version locally, you may also have other non-open source projects that are affected, so this message is an FYI for my entire cdt cloud community of npm consumers. 

Finally, be careful to not blindly apply dependabot PRs. dependeabot created a bunch of PRs to the compromised version (such as this one) - this time there were clues that the new versions were suspect because there were no commits or changelog entries for the compromised versions, but it can be hard to tell in the future what is compromised.

Best regards,
Jonah


~~~
Jonah Graham (he/him)
Kichwa Coders
www.kichwacoders.com

Back to the top