Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cdt-cloud-dev] compromised popular npm packages
  • From: Jens Reinecke <Jens.Reinecke@xxxxxxx>
  • Date: Thu, 24 Jul 2025 18:18:38 +0000
  • Accept-language: en-GB, de-DE, en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=eclipse.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iAIrRRdWApMMbywzbGmJ16WEJbmaMhumqmE3D9M827E=; b=vL+TpkVcJwWEq9YxCMt3E160BgwC2qoYXhp14Jea2sb2vJ1YbgxWfqJuQRL9Aw/+mU9mGbzI+mVLUxTnAD6swDOY2IoIS2xEkBUSd7AZl3Yvm4Qbz3Us9BqXm4OqerfBr5wsmmWEq2zW7Zyox7pKlTQ3v/8dVS+PIShrnlqrFstMYhjnLrxDX57Ki8F1k462rObVGPxlPkRvquC40U6XvIt1OcJvbTTXGbOdx7P3zNo5vvqzB2HDiefR049aJjA4SupVVZwP4ZIRzxG7lUR3HFiZTtm3IDOhyrDSVGTMEhKy9Xu7+Gtm6T4YyLepUUcG/YI7W1y4KTqA/kUg3f8DzA==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iAIrRRdWApMMbywzbGmJ16WEJbmaMhumqmE3D9M827E=; b=UEgOj47TWLvn4QEUt/Qv/CH97Z5h1y8pFcLR+9kvxhbVnMCNMahpBn8Em4KKvqF818SaZUz1JYJ4Puwa0rzRYY5piQPKMQesnSxabt0mM+KqBAEDRQ2d4ovvxqr+rmoycL65QbzsksfZO+E8JHu2qWbfmunBYDa3fQqLnCilY6m6fKldg3ExhHOCpY00pz23+IiobgaP6+UpWExOYpKb6aqXXtHSLYA0EZ/1ZBvwO1H/UubNpPvGjS/kLS2u2nIbHW0mPmL5iXckudDHOclzTm6zAtdpTAlrmtO/X070YF9kt7ZHzvH/s8CTyql3kxde27bwrSxPJgQs+QBwBGEfuA==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=KrFFu+8JU0x2q6B/W9T78mot7gCOm77ww8sJp5Qx4x2m6wPLHn2UlI853yo02mBvJWuTVdxzH8RC9KD3EXNfL9bO6GV+/hJjKJJWIPeRhQlPXSBOf8LVNVclNehz/+OxgzmiC/7TZ7jzOuI3ptdK9yVXjSzwuRYShb31CnWLCQBOn73Fwce1xOLfdqV8Pzw3E52r7ikSDcHe5MDYnNijvCtopbQyQCVrKIJ8tMgJtGeXheI40o6H4ueEVZ38mQjVXynObsNNvem0DBJz4SlGRduBOkib/eIqr8lnGXFG18EamOTXuoiQXFQLQNewbuM0NiO9h4JR94dCw/VLCQfK4w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KYJViAV7ZPPMLW7Rts4nees5UB7ugRnXyma4mlzof706VR3OIKw43nPpJAyVCklH7CRw+40lnP6jjYo+s46yZxXUD1QYeds1Tk7DTGMXDYQbe9UmWhVek3bMMH+oqwSZVjS+yJJcXvi+fnDHdByvuZyTmNSKLy7YXK5tv5jQTZ5/I9D6GoT7Mf34PNmX8WoL3RZGIRCpI+pGgXst5xaxGyYHCEI2jtFoPFgueZT4PWTFnKcyVmaLLlNqMV8eg1WwEBH0t4CfrcJ5RYpwKkwWFprGydGaE8aFBSSAQpRIX7OUGlFvHqr5C67CNP42JrsWjl8y/YgyaDEvTPId2kFPdA==
  • Delivered-to: cdt-cloud-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/cdt-cloud-dev/>
  • List-help: <mailto:cdt-cloud-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/cdt-cloud-dev>, <mailto:cdt-cloud-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/cdt-cloud-dev>, <mailto:cdt-cloud-dev-request@eclipse.org?subject=unsubscribe>
  • Msip_labels:
  • Nodisclaimer: true
  • Thread-index: AQHb/L6PafjlxpuhbUCEgCv35LQ8o7RBkogAgAAB4pA=
  • Thread-topic: [cdt-cloud-dev] compromised popular npm packages

Hi Bernd,

 

You can configure dependabot for security updates and/or regular version updates.

 

https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

 

I suspect it is the latter which triggered this for affected repos.

 

Cheers,

Jens

 

From: cdt-cloud-dev <cdt-cloud-dev-bounces@xxxxxxxxxxx> On Behalf Of Bernd Hufmann via cdt-cloud-dev
Sent: 24 July 2025 20:09
To: CDT Cloud development <cdt-cloud-dev@xxxxxxxxxxx>
Cc: Bernd Hufmann <bernd.hufmann@xxxxxxxxxxxx>
Subject: Re: [cdt-cloud-dev] compromised popular npm packages

 

Hi Jonah,

 

Thanks for the information. What also worries me is that dependabot created a PR to upgrade. Usually, dependapot does that based on some reported security alert. Do you have any idea how dependabot was triggered  and for what alert?

 

BR

Bernd

From: cdt-cloud-dev <cdt-cloud-dev-bounces@xxxxxxxxxxx> on behalf of Jonah Graham via cdt-cloud-dev <cdt-cloud-dev@xxxxxxxxxxx>
Sent: July 24, 2025 1:14 PM
To: CDT Cloud development <cdt-cloud-dev@xxxxxxxxxxx>
Cc: Jonah Graham <jonah@xxxxxxxxxxxxxxxx>
Subject: [cdt-cloud-dev] compromised popular npm packages

 

Hi folks,

 

Have a look at https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack - a bunch of very common packages in npm have been compromised.

 

The cdt-gdb-adapter's yarn.lock refers to one of them, but fortunately was never updated to a version that was compromised. However, if you did a local yarn upgrade you may have picked up a compromised version locally, you may also have other non-open source projects that are affected, so this message is an FYI for my entire cdt cloud community of npm consumers. 

 

Finally, be careful to not blindly apply dependabot PRs. dependeabot created a bunch of PRs to the compromised version (such as this one) - this time there were clues that the new versions were suspect because there were no commits or changelog entries for the compromised versions, but it can be hard to tell in the future what is compromised.

 

Best regards,

Jonah

 

 

~~~
Jonah Graham (he/him)
Kichwa Coders
www.kichwacoders.com

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Back to the top