Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cdt-cloud-dev] compromised popular npm packages
  • From: Bernd Hufmann <bernd.hufmann@xxxxxxxxxxxx>
  • Date: Thu, 24 Jul 2025 19:02:04 +0000
  • Accept-language: en-CA, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NqyeGevI4qFej8ZDiGbV7BVhBHksESbnAUJtWLGtZ48=; b=JpK9wKhh6CXGjJs54y8nftDz3xL94IbqWc+N7NHF8Kkt0jQVmr+aXtZm0UdPqzwV5nBYRruWh1d/3qBnm6IWxZFawqvljyM+S5rbllda8fpSd02XNXzobFFf97eYV8Vkx2Qd7xnTw/1o+WrvEs/apxMJrRTRrwvEonjad2RaD9Pih57bCEwY0tsbOMmHTQ1fdIgGRzF1A4VfYKUlkMG+kp4pPPyz2SbtBzUoftCq4VKEBSVxtJkM7ML4Npg6hyI/NeN8UcfI18txEPW6DtUCgW9v4Uxku/zDSnLHj5BFH6C0S2gUo1GhXHv2HO/8B970fVSrbRM6KXYx1+juRMWx5w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZUWzZvJ4GzgxRhpfzpkm2QSwvqcF3I9hTvmRlpI/tyF71dAyaKWkeK7ykio6kkPVqkVEZifMjngQuEC/rbFRMThA17tnBPXzSx5xQQkRDUzObrQHOv86CBW8Ve0RHZDc38dHam09s4jgQW5Fd+1vHJdzxpY7UBkeVRp3xxjOtAM6Wet39jU+SSBhI+pHDwIsYBaeD0F+7PGCWLzXSJ49idsXTasNuIL9T6J+Zp0ELhVs63XexrP/2Ud4zVCx/b85edwkEHRaPIpSOyK+I4Ccy+xeI9ujZe5ZIyk5BUkmvS+5KLagDhMdZ8rMEpx7DZbPPVefJ0sC7F/fKE9rvkOYPQ==
  • Delivered-to: cdt-cloud-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/cdt-cloud-dev/>
  • List-help: <mailto:cdt-cloud-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/cdt-cloud-dev>, <mailto:cdt-cloud-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/cdt-cloud-dev>, <mailto:cdt-cloud-dev-request@eclipse.org?subject=unsubscribe>
  • Msip_labels:
  • Thread-index: AQHb/L6QJIVW8shSZ0qQn+0+dDGT1bRBka3QgAADlgCAAAu0Rw==
  • Thread-topic: [cdt-cloud-dev] compromised popular npm packages
Thanks. Make sense.

The tracing related repos in cdt-cloud project only get security updates. So, we didn't receive those updates.

Bernd
From: cdt-cloud-dev <cdt-cloud-dev-bounces@xxxxxxxxxxx> on behalf of Jens Reinecke via cdt-cloud-dev <cdt-cloud-dev@xxxxxxxxxxx>
Sent: July 24, 2025 2:18 PM
To: CDT Cloud development <cdt-cloud-dev@xxxxxxxxxxx>
Cc: Jens Reinecke <Jens.Reinecke@xxxxxxx>
Subject: Re: [cdt-cloud-dev] compromised popular npm packages
 

Hi Bernd,

 

You can configure dependabot for security updates and/or regular version updates.

 

https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

 

I suspect it is the latter which triggered this for affected repos.

 

Cheers,

Jens

 

From: cdt-cloud-dev <cdt-cloud-dev-bounces@xxxxxxxxxxx> On Behalf Of Bernd Hufmann via cdt-cloud-dev
Sent: 24 July 2025 20:09
To: CDT Cloud development <cdt-cloud-dev@xxxxxxxxxxx>
Cc: Bernd Hufmann <bernd.hufmann@xxxxxxxxxxxx>
Subject: Re: [cdt-cloud-dev] compromised popular npm packages

 

Hi Jonah,

 

Thanks for the information. What also worries me is that dependabot created a PR to upgrade. Usually, dependapot does that based on some reported security alert. Do you have any idea how dependabot was triggered  and for what alert?

 

BR

Bernd

From: cdt-cloud-dev <cdt-cloud-dev-bounces@xxxxxxxxxxx> on behalf of Jonah Graham via cdt-cloud-dev <cdt-cloud-dev@xxxxxxxxxxx>
Sent: July 24, 2025 1:14 PM
To: CDT Cloud development <cdt-cloud-dev@xxxxxxxxxxx>
Cc: Jonah Graham <jonah@xxxxxxxxxxxxxxxx>
Subject: [cdt-cloud-dev] compromised popular npm packages

 

Hi folks,

 

Have a look at https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack - a bunch of very common packages in npm have been compromised.

 

The cdt-gdb-adapter's yarn.lock refers to one of them, but fortunately was never updated to a version that was compromised. However, if you did a local yarn upgrade you may have picked up a compromised version locally, you may also have other non-open source projects that are affected, so this message is an FYI for my entire cdt cloud community of npm consumers. 

 

Finally, be careful to not blindly apply dependabot PRs. dependeabot created a bunch of PRs to the compromised version (such as this one) - this time there were clues that the new versions were suspect because there were no commits or changelog entries for the compromised versions, but it can be hard to tell in the future what is compromised.

 

Best regards,

Jonah

 

 

~~~
Jonah Graham (he/him)
Kichwa Coders
www.kichwacoders.com

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Back to the top