Malicious Package in chak

2020-09-02T20:22:34
ID GHSA-9Q9M-M2F6-JR5Q
Type github
Reporter GitHub Advisory Database
Modified 2020-09-02T20:22:34

Description

All versions of chak typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise.

Recommendation

Remove the package from your dependencies and always ensure package names are typed correctly upon installation.