Malicious Package in requset

2020-09-02T21:14:17
ID GHSA-W7WG-24G3-2C78
Type github
Reporter GitHub Advisory Database
Modified 2020-09-02T21:14:18

Description

All versions of requset typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise.

Recommendation

Remove the package from your dependencies and always ensure package names are typed correctly upon installation.